Defence minister Des Browne has admitted that the Ministry of Defence (MoD) has lost not one, but three laptops containing unencrypted information since 2005. Last week, it emerged that the MoD had lost a laptop containing the personal details of 600,000 people who had expressed an interest in joining the armed services. The …
Encyption is not the real issue...
If the information wasn't on the laptop in the first place, encryption is not needed. First they should find out how & why the information got there.
Because they can
This is just another reason why the idea of a central UK ID database is a bad idea. People put vast wads of data, unencrypted, onto their laptops because they can. Technology makes it easy, and it makes their work easier to have the data to hand. It doesn't matter what regulations the organisation has in place, and people aren't being malicious or even lazy, they do it because they can.
Now consider how data storage is progressing. It is not inconceivable that in 10 years time somebody at UK_ID central is going to download the entire ID database onto their mobile phone. Because it's convenient for them, and because they can.
Now, if this is almost inevitable and easy for someone who is simply wanting to make their work easier, what's going to stop someone who is actually has more devious plans in mind for the data (and by that I don't just mean criminals)?
This is ludicrous...
Can someone comment on if we can bring the equivalent of Class Action status lawsuits against HMRC, MoD, the DVLA, and the inspectors who EPIC FAIL at their job for not spotting this?
I'm serious. Someone find out. We need to stop this.
Why is this data on a laptop in the first place?
Scales of Measure
Ok, I think it's time for El Reg to update it's "scales of measure".
We've got weights and spaces, and so on, but we need a new measure of "leakage" I think. Is a Burrell more porous than an MoD? Is a DWP more leaky than a clean install of a Vista?
We need answers Reg, and we need them now!
(Hilton icon because I need things making really simple!)
"Lost" or "Stolen"
"Lost" is nicer as it implies it might soon be found with minimum damage or inconvenience. "Stolen" should be used as it implies it's gone forever at the hands of criminal nerdowells with associated prejudicial consequences. (eg I've lost my socks, someone has stolen my Ferrari). If the data is valuable the effort to crack any encryption will be commensurate - wooops!
I anticipate some squaddies may well be wanting to tax their brother/sister soldiers on their deficiency in the security measures taken in this matter.
If it weren't so sad it might be laughable. What is the UK equivalent of a Siberian posting? There is an applicable quote from Oscar Wilde but I can't remember it 'cos I've longterm misplaced my marbles.
And no doubt the Home Office are still insisting that our ID data will be safe with them...
(Paris because Jacqui Smith seems about as bright...)
We asked the MOD what this super, if under-used, form of encryption was.
Historically it was Kilgetty. http://www.cesg.gov.uk/site/caps/Kilgetty/index.cfm.
Anyone reckon there's plenty of bidding for COMPAQ Evo N600c laptops round about now?
it's not just the junior officer's fault...
Yes, he should have the book thrown at him. It's not as if the fiasco about the missing CD's didn't make the news. He can hardly say he didn't know.
BUT the person who runs the systems should also be shot. It should not be possible to download the stuff onto a laptop in the first place.
Even I have whole disk encryption
I tend to keep very little data on my laptop, but sometimes I have to travel far and then need to lug it al with me. I've had for years full disk encryption on my laptop, and even when using Linux the /home partition is an encrypted mount.
It's all very cheap as well so there is no excuse IMHO. Encrypt by default, but put strong data management procedures in place too. I'm waiting for some idiot to suggest DRM - it almost seems a strategy to drive the Gov that way. Have you noticed just how many stories have emerged?
Is someone trying to boost Vista sales?
@Tim Spence -- The Laptop That Never Was
I suspect that sometimes these are like "the man that never was" (a corpse made to look like a drowned naval courier, with planted false invasion plans, in WWII) -- a way of leaking misinformation to certain parties. They'd have to be well-packed with other information, to stop it being too obvious.
Type of encryption.
This loss could have been avoided with the use of LDB&M encryption.
Locked Door, Bricks & Mortar would have stopped it being nicked in the first place - what kind of cretin leaves a laptop in a car?
"lawsuits against HMRC"
Yeah, there's no LEGAL way of getting redress from your government.
Your only routes are
a) voting them out (doesn't work for civil servants and unappointed quango's etc)
b) insurrection. revolt.
Try to sue a lawyer, though.
Will. Not. Happen.
@John Sturdy - planting information
Well, at least they can use the details of 25 million citizens to make it look authentic - they're out there already anyway, so might as well brick their market value somewhat..
Because they can't.
Presumably, if there *were* an all-singing, all-dancing central database, you wouldn't be able to get it onto a laptop. There are far better arguments against than that.
I'm more worried about the new spirit of openness from Government agencies here. Rather than coughing under duress to losing something last year, they're now issuing press releases pointing out that they lost important data yesterday (i.e. *before* it's had its hard disk wiped and been flogged down the pub) and giving away enough detail to ensure that whoever's got it knows they have.
Whoever's nicked it must really appreciate this.
Losing it is stupid. Telling the thief that his latest aquisition is stuffed with highly valuable data while this piece of information is still of great interest is sheer f***ing lunacy.
Rules are there - blame the squidy bits
By the look of the laptop it was probably supplied before it was mandatory for laptop HDs to be encrypted (assuming it's even an MOD supplied laptop).
The encryption used for restricted info and above is robust so it's a fair comment re the military grade encryption statement (look at the likes of becrypt).
Whatever way, the technical rules here were find - depending on how the material was classified if should never have been on the machine at all (thin client) or encrypted. This isn't a fault of us techies, but the management!
But what will actually happen...
Why tell him, so he can tell them they've been naughty and not allow them to use their Playstation for a week?
Until Richard Thomas and his department hand out some meaningful fines vital data will continue to be posted on CDs, stored on laptops given to morons and dumped on roundabouts.
it WAS Kilgetty...
but Kilgetty was ported only to MT4 (no personal experience, but I gather it was a bit of a clunky b****rd to use)
Our MinDef wasn't quite accurate when he stated that MoD use something better than that available to us mere mortals. Currently the full-disk encryption for laptops processing up to RESTRICTED (pertinent level of Protective Marking in this instance) approved by CESG is AES@128-bit.
AES@256-bit is approved for downgrading SECRET to be treated as if it were RESTRICTED.
For higher levels of Protective Marking and for purposes other than full disk encryption CESG approved algorithms tend not to be public domain. In the lack of any evidence to the contrary, I will not provide any opinion about acceptability of security-by-obscurity.
Lets have some sackings
Sack the junior officer for leaving the laptop in the car. No excuses. He wouldn't leave his wallet on the passenger seat would he?
And sack the IT staff repsonsible for allocating laptops if they failed to notify the user about leaving equipment in a car. Definitely sack them if they're allowing confidential data to be taken and moved onto a laptop in this slipshod manner.
Obviously Des 'two jobs' Browne is in over his head, so off with it! (His head that is...)
"Vote them out" - and watch them be replaced with another set of corporate whores, hell bent on recreating 1984 with astonishing accuracy? Not liklely.
"Insurrection. Revolt." - It's not really something one does by one's self. Plus, the nation is so blase right now regarding personal privacy vs. (in)Security thanks to Terr'rism in High Definition that it would get no momentum.
This government and the corporations it protects so diligently are the hand pushing down on the head of the water-treading UK population. They'll either paddle until their legs give in and fall listlessly into slumber, or they'll grab that hand and drag them down with them.
Jeebus, I sound like a conspiracy nut. Maybe they had a point all along...
To lose one laptop is unfortunate...
...to lose three looks like carelessness. :)
Apologies to Oscar Wilde.
Because they can't
"People put vast wads of data, unencrypted, onto their laptops because they can."
I think they put vast wads of data irrelevant to their immediate purpose on laptops because it's easier than extracting just the data they need.
I wish I could just give Home Insulation Grants every detail of 1.3 million people instead of trying to pick out the ones who are over 70 and haven't got social landlords and still live here and aren't in care homes or prison or dead or duplicate records...
Full-disk encryption all fine and well but...
the large and difficult to remember passwords (of which you tend to require at least three different ones to log in) tend to be stuck on to the laptop itself as nobody can remember them.
Go into any MOD office and look under the mousemats to see how secure the IT network is...
3 levels of password protection
Low Level - can be guessed
Mid level - requires some processing power
High level - a Post-it on the top of the screen
RE: voting them out..
It won't really do anything (voting them out) as civil servants are appointed whereas politicians are elected.
It is an age old <cough! cough> in which those doing the things are hidden under politicians cloaks?
I take issue with this
"the implementation of the encryption mechanism within these specific products has been assessed such that its strength is considered suitable for the protection of MoD data"
The 3 laptops I bought off ebay last week clearly show this isn't the case..
What about 'after the event' security?
If all organisations used a 'morning after' tool they wouldn't need to worry about encryption. Once a laptop is reported lost or stolen it can be located through the mobile phone network and the data deleted before the machine has even completed the boot sequence.
The thief has a blank laptop but so what, the owner has a report that states categorically that all the data was deleted, where and when. It can even triangulate and locate the laptop so if the police were interested they could pinpoint it on a map.
This could change the world
Raging incompetence rulez ok.
Simple solution here for the Govt in general. All data relating to, or from, the citizenry needs to be classified data. Stick a "Confidential" classification on it and it won't get lost. Don't bother with "Restricted" - that's controlled slightly less than illicit photocopies of the Times crossword .
Yes, this will drive costs up, but not as much as widespread identity theft? The only downside is that the news hacks will have to look a little further for stories about Govt imcompetence (but not **that** far eh?)
Although I'm outraged at the lack of security these organisations seem to have, the real issue is not how easy it is for criminals to get hold of personal information, but how easily they can use it to obtain money, goods and services!
Banks, as the main gateway to your money, need to have better procedures to prevent misuse of personal data for financial fraud. After all, much your "personal" data is public domain anyway, it gets handed to individuals and organisations all the time: hire a car and book a flight and you wil be asked for your passport number, driving license number and credit card details. We hand these details over on a regular basis.
Most 'personal' data is really just a User ID; its the rest of the security mechanism (the password, certificate etc.) that needs to be protected.
Jeremy Clarkson's recent "experiment" highlighted this very problem.
Just follow precedent
"The Royal Navy ... is considering what action to take against the junior officer."
Well clearly they should court-martial him and give him a slap on the wrist, followed by a promotion and a transfer to Naval intelligence as liaison officer to the foreign agency that wanted the data. If it works out well, later on they could make him First Sea Lord.
Does nothing change?
Years ago, there was a break-in at one of my former employer's sites. We were told the next day, "[n] laptops were stolen. But don't worry, they were all new laptops, waiting to be issued to employees."
Cutting out the bulk of the story, there were five managers whose laptops were stolen. Only one of the five managers had any significant unencrypted data on his system. (Unfortunately, one of the unencrypted data items was a passwords list, which included passwords for a few encrypted files on a second manager's laptop.) The manager was not specifically penalized for his lack of data security.
@it WAS Kilgetty...
...and now it's Flagstone. Except if you're a plank, and you haven't turned your data-stuffed laptop in in order to have Flagstone fitted.
Umm. Think this one should be Anon...
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market