Personal details of potentially all current and ex-RAF personnel and dependents were stored on three USB-connected storage drives which went missing from a Ministry of Defence establishment at Innsworth, Gloucestershire. Both the MoD police and Gloucester Police are investigating a presumed theft. A statement from the MoD said …
...is it always unencrypted? I never see headlines with "Hard drives/CDs lost containing mountains of securely encrypted data, risk minimal."
It is EASY, any mildly competent "IT guy" that doesn't deserve to be flogged and promptly sacked knows how to encrypt sensitive data, especially if it's going to be transported/portable in any way.
Perhaps not the doors..
"Access to the room in question is via two successive manned security doors. Visitors need a pass and an escort to pass between the two doors"
They probably got in through the Windows - I've heard Windows can be very insecure.
Yes, please, mine's the straightjacket. Can you just tie the arms there? Ta...
Sorry I'm still wiping the coffee from my screen. Even the military haven't learned the basic lessons. Can someone please steal all the personal data from every MP / MSP and while we're at it all the police. Until then even Bond is't safe !
I'm just getting my coat . . . yes everything seems in order sir . . . can you escort me to the gate - I always get lost on this empty base.
Why no encryption
Why on earth do they not use some form of disk encryption like PointSec ?
A5 size hard drives
Is this a new standard that is just a bit bigger than 3.5" Hard Drives?
Correct me if i'm wrong but...
Isn't it a legal requirement to encrypt this kind of data?
Very helpful people on the helpline
Right now they have no way of knowing (read: disclosing) what information has gone missing, but they're taking details of all individuals, and will be contacting all those involved to the level of risk exposed.
I didn't expect anything more, but they're certainly helpful.
The site never has much in the way of perimeter security, even under the RAF. After 9/11, the guard on the main gate looked a bit more alert, but there is still miles of rickety fence around the back. Some of that was improved when they sold off a substantial amount of land for housing, it was around that time a small hut next to the firing range, adorned with a sign reading "Radioactive, no loitering" was changed to "Inflammable, keep out".
MoD Security Reqs
Having worked in the past for a defence contractor the basic requirements of securing data are in two principals.
1) The site is secure, and therefore so is the data.
2) When the data is finished with disks are to be wiped to the set standard.
I am sure you can see a few problems with that. If anyone has any problems with me writing this visit the GSA (or their new name which I can't remember) and its all for all to see. Having said all that this was 2 years ago and so there may have been a substantial change. I doubt it.
"There is no indication that the theft was motivated by a desire to obtain the data, nor that the data has been exploited maliciously in any way;"
^ Seriously - how do they know? I gotta say you don't break into a locked box in a room past two doors where you need an escort just to nick 3 hard disks to upgrade your game rig...
Do data theives now leave a note saying "hahaha - I r t3h ruthless data theif now is selling your datas 2 Nigerian spammorz ha ha haha!"
Here is an idea
How about everyone over there petition your government to simply get rid of all this "security" non sense. Take everyones records, transpose them into word documents then take those documents and burn them onto DVDs. Then send a copy of the DVDs to every household address in the country. There problem solved, everyones data is out in the wild and none of this having egg of their faces for yet another breech in security. No muss, no fuss, no trials everyone is happy.
Isn't it a legal requirement to encrypt this kind of data?
There is no legal requirement mandating encryption in the public sector, or most sectors for that matter. It's only the banking sector which has such regulations.
Paris - Because she has more sense than some of these complete numptys.
they're taking details of all individuals,
Well that's an easy way of rebuilding the database then.
why the hell ..
cant they encrypt the information. its not as if it costs a fortune. and its not that hard either. havent they heard of truecrypt.
No need for encryption
For those that are suggesting encryption is the answer, I think you should elaborate. Physical security via "two successive manned security doors" is sufficient to prevent unauthorised access to data. Whoever stole the data has the ability to access it (or the physical security policy wasn't working!)
There is however a risk that should be considered: if physical security permits theft then data is accessible. Note that the risk only arises if physical security is violated. If this is thought to be a threat then encryption should be used. Theft of all computing equipment should be considered and hence all hard drives should be encrypted.
It's just a ruse
Now that the entire of RAF personnel are compromised it would be sound common sense to disband the RAF and replace it with missiles and UAVs . Then the government can cancel the expensive carriers and use catapulted disposable UAVs thus reducing the Navy too.
Now, how do we compromise the Army to get rid of them as well, so that we can outsource British defence and use the money saved to make ID cards more complicated?
The real problem is people keeping records on other people.
Doesn't it strike you as a bit odd to do that anyhow, sort of nosey, invasive, and creepy.
People need to rethink that bit, because that is the crux of the problem. You should be able to control and maintain your own notes, and apply whatever security you like to them. There is a line to how much data should be stored by another on a person, and time and time again we see how far over that line organisations have stepped.
You know, I cannot think of one thing that the Government has done in the last decade that has had a positive effect on society, something for the greater collective good, instead I can only think of all the bizarre control systems that have been put in at great expense that are all fundamentally flawed.
What is going on, it is like they hate the people, it is a very sick to take governance from.
I KNOW WHO DID IT!
It was the milkman! Have you never noticed that just about every Avenger episode is set on an old RAF base.
Then along comes the cyborg/crim/maniac/spy on his milk float and does the deed....flipping obvious to us armchair dicks. (I mean detectives :))
Mines the leather one with Emma Peel...........oh my god!
It's an plot by some kind of criminal mastermind!
I demand to know where Dr Evil and mini me are currently sewing mailbags ... oh, that information was on one the hard drives?
@AC re. Ho hum
I agree with you there AC. I think it's totally amazing (and unforgivable) that the Personnel/Pensions department of a large organisation has a database of all current and previous employees. What was the purpose of that? Way legitimate use could they have for it? Invasive and creepy, as you said.
What really needs looking into...
...is not so much the security aspect (securing media that is) as the reason all this data is being kept.
After all, prior to the introduction of computers (say, 1960), did they retain all this data?
I rather think not. The problem seems to be that it's now so easy to store the data - insecurely of course - that there's a magpie tendency to acquire and hoard everything... Useful or not, relevant or not.
Horse and bolted
I just called the number, the person there did there best to help me inbetween rousing renditions of the battle of britain them (I kid you not!). In the end they want me to send in 2 pieces of photocopied identity, shame they're resorting to the school of horse and bolted now. I wonder if the thief had to present 2 forms of identity?
@ AC, Frank and Chris
Er... Hang on a minute. If they did not have my details... how would I get paid, or claim my pension.
I think you'll find that pre-1960 they had lots of overly polite ladies who lived in the filing cabinets who made sure I would be paid.
Its not *having* the data here that matters... it's the not SECURING it that's pee'd me off. Hmph.
Mines the one with a HD in the pocketses
'T was the Deep ones...
The office could obviously be accessed through a hatch, leading to a watery tunnel.
RAF-personnel will now start disappearing under mystic circumstances. Some, but not all will be found again. Alas, all found will be raving mad.
@AC "Horse and Bolted"
I pointed out the irony of sending information through the post that makes me uniquely identifiable to discover what information they may have lost that makes me uniquely identifiable!!
Mine's the one with the keys for the security doors in the pocket........
Maybe this is why I'm not a detective ...
Perhaps I'm thinking a bit too simple here but it sounds to me more like someone just fancied a bit more room for their pr0n collection.
The locked cupboard was probably the stationery cupboard or something and the person with light fingers probably thought they were old crap that would never be missed.
I bet they're shitting themselves now though.
"There is no indication that the theft was motivated by a desire to obtain the data, nor that the data has been exploited maliciously in any way"
In a separate incident, involving the theft of money, a spokesman said that there was no indication that it would be exploited or used to buy things...
For Queen & Country
Being Irish, the title is a bit painful for me to write....
Honestly though, people fighting for their country (even if they are unaware of the real reasons) should not ever be in a psoition where they and their families are targets to both terrorists and ID thieves.
Maybe after the last recruitment drive, when their numbers were dwindling after insane invasions they had too many applicants and this is their method of reducing applications?
Also@ John Watts- I think you may just have hit the nail on the head, Mate!
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Feast your PUNY eyes on highest resolution phone display EVER
- Wall St's DROOLING as Twitter GULPS DOWN analytics firm Gnip