The Ministry of Defence and contractor EDS are frantically checking the bins this morning for a missing hard drive containing records of 100,000 servicemen and women and their families. The case is worrying, even by this government's cretinous standards, because of potential targetting of people who worked in Northern Ireland or …
One word really...
I appreciate that these orgnisations are huge and keeping tabs on everything is hard. It's not impossible though, especially with the added weight of how important these sorts of details are given the current number of fun events the US have invited our Tommy's to join in.
Someone needs to swing this time, this really is utterly, utterly pathetic!
( Need a disgusted of Tunbridge Wells icon, flogging a dead vulture will have to do. )
Why the f*** can't portable drives, laptops and flash sticks be supplied to the MoD pre-encrypted, so the dorks can't actually use them in an unsafe state. Encryption may not be a perfect defence, but it will at least slow down the extraction of data. Perhaps what we need is MoDAMoD -- a ministry to defend us against the MoD.
Please check all jacket pockets before leaving the building -- make sure you have at least one storage media full of sensitive data.
how can this keep happening?
another month another data leak - yet they want a system to hold all our data in? yeahh right
Jee I can't wait till the government, filth and civil servants store all my information in ID Databases and spying data silos.
What the hell?
Why is all this data anywhere but the database? What are these people using it for? How would all the information regarding 100,000 people be of use to anyone other than ID theft? Is it just that these people are so useless they use "SELECT * FROM" every time they do a database query?
I want some answers, dammit!
Great day for burying it. Bastards.
And they still plough ahead for with cards. They'll fuck that up too, as sure as darkness follows daylight.
I just hope Brown et. al have a very long period of darkness, and soon.
Lacking even the basics
I'll admit that I am particularly tech-savvy, but I have a TrueCrypt file on my hard drive that was ridiculously easy to setup through a wizard-based process, and even provides plausible deniability - it's frighteningly easy nowadays to manage your data in an at least fairly secure manner. What on earth were they thinking?
Where to start?
Gob. Smacking. Lord in heaven. I like the fact that EDS was obeying the rules and auditing, but there's no point in counting beans if you haven't thought perhaps to keep those beans secure. One civil servant is being prosecuted, but clearly this is institutional stupidity and has to be eradicated root and branch. If my mind hadn't been completely boggled by earlier losses, I would be 100% boggled now.
Lets get it over with, just get the government to set up a web site with a searchable index of the complete personal details of every single person in the whole UK (Except politicians of course) so that no government department or contractor ever needs to fear a data loss again.
With a little luck they could impliment it in under ten years at a cost of around 500 billion
You will always lose data...
Although, these people could be a "little" bit more careful, the only solution to the problem is to not store any sensitive information, especially if it does not relate to your business (i.e. why were data on servicemen's families stored?).
It's about time EDS was sacked as the prime contractor, bunch of incompetent fools, they'd make a bloody good Government!
You dont lose this data, someone has nicked it. Fuc*ing contactors they should throw the CEO in the brig.
Sensitive data has gone missing like this since before there were computer systems. All that has changed is 1. If Joe Public finds it he heads to The Sun instead of his local bobby. 2. Outsourced IT departments tend to own up to cock ups that in-house civil servants would bury.
Just my 2p.
Dispense with EDS perhaps?
F$ck me... the combined barrels of 7th Armoured Div's tanks should be pointed straight at EDS HQ, and upon the command "Fire" - dispense with the lot of them!
Really shouldnt piss off the people with the biggest guns IMO.
I think you might see more of these, as its not that there losing them on a daily basis, with all the auditing companies like EDS are doing they are coming up short on numbers (which i'm sorry to say if most of the techies here did at there place of work would also be missing some equipment, and don't get on you rhigh horse and start flaming beacause your just lying to yourself) so are having to declare them as stolen, there not stolen there just either sitting in a room that no one knows about or have been disposed off and not been reported.
I bet most of this equipment is so old the only spec its good for is window 98.
If you see a story like 1,000 MoD personnel have fake ID's created in there name, ie the information is actually in the hands of the so called criminals thats when you all get on your high horses!
Pretty much all drives are portable today
The encryption is more of an issue. But most modern systems have hot plugs drives for availability and serviceability reasons.
Once, Twice, Thrice
Once is happenstance. Twice is coincidence. Thrice is enemy action. About time the Security Service got involved .... very involved.
It's not infeasible that agents-provocateur, or plain spies, have infiltrated a number of military organisations and/or their contractors over the years and are using "data loss" as a cover for deliberate data theft. Sure, some of these incidents are utterly foolish accidents, but all of them? I mean, do you expect a spy to leave a note saying "I stole this data" or even leave no trace so that when use of said information is detected at some point it immediately indicates a professional operation has taken place? More likely that professional data theft would be "covered" by a seemingly idiotic event like this.
On prevention: encryption is a pretty good defence - providing the cypher and associated handling procedures are robust, as they are for the all classified information (I can't name grades of classification and their specific procedures, I'm afraid, or men in dark suits will pay me a visit, but I would have thought this depth and breadth of information would have warranted procedures that would make this kind of loss extremely unlikely). Why weren't there robust procedures in use here? And have these people ever heard of a fucking safe?
As has been said - heads (plural) should roll.
I thinking that the best way to recover this data (and as a happy by-product find out really how much info has been lost by UK Gov Ltd) is to get trawling the seedier sides of the net for sellers of this kind of data. Surely, right now there is a forum where someone is advertising premium identify info for 3 million UK citizens at a reasonable rate per 10,000?
This is the M.O.D. - the outfit ultimately responsible for the security of the U.K.
Hmm, the it used to be us looking at the Mekins and smirking about 'military intelligence' -- it would appear that the U.K. is now a 'no smirking' zone.
Back up? -- too bloody right it gets my back up!
I didn't fight in two world wars etc. etc.
Re: You will always lose data...
Exactly. And the real solution is - if you have a database USE IT!!! This is what databases and client-server systems are for.
So from this perspective I would actually like HMG to stop messing around and finally start using databases instead of allowing gazilions of public service drones (and their outsourced equivalents) to have gazilions of uncontrolled mini-database for their own perusal. Forbidding the government drones to buy MS Access under the threat of using "Philip IV the Fair treatment" would also be a nice idea (otherwise the temptation to dump the main database locally will continue to cause problems).
Paris, as she has proved capable to guard her data better than HMG IT depts
Frankly, I'm worried about the income stream the govt. will be losing from FOI and Data Protection Act requests. There's no point in paying them for a copy of Everything They Know about me when I can just download it from WikiLeaks in a couple of weeks time.
Icon of someone rifling through an EDS contractors coat.
I trust we'll see more prosecutions under the OSA
Maybe we shoudl ahve a seperate judicial process, just to speed them up. And a dedicated facility to incarcerate them, like in The Fortress.
Predicition come to pass
I am in the armed services and it has long been a topic of conversation when (not if) this was going to happen.
What is really scary is the sheer volume of information that we have to give the MoD/Government. If you go through the full security clearance, it includes all bank accounts, addresses for the last 10 years, mothers maiden name, all relative's names DOB & address, employees over the last 10 years, passport copy, driving licence copy and so on. About the only thing they don't have is my pet's name. This information is sufficient for total and complete identity theft.
We have said that it was only a matter of time before some or all of this information is 'lost', and our lives would be totally screwed. And what could we do about it? Nothing. Leaving the services is not even an option as the information is still there and ready to loose.
Still we can always rely on the Governmnt to recognise the problem and help us out if the worst happens can't we?
With their track record why on earth is anyone still using them?
OK, I need an explanation here.
When PA Consulting lost data, the Government was quick to announce "a contractor had lost data bla bla" and they got rightfully hammered for it (partly because the government got there first).
Explain to me why EDS doesn't get the same treatment? The volume is higher, it was from secured premises and the data is sensitive too.
I'm no friend of PA or EDS, I just find the difference in treatment interesting. Maybe EDS hasn't publicly worked on an ID card project?
Of course we can rely on the Government. They sincerely care about the privacy and safety of their serving men and women. And our families.
Only two days ago, I was expressing the wonder* that we hadn't had a lost CD/HD/laptop/memory stick lately, and here it is!
*Only verbally, I'm afraid. Should have done it in Ladbrokes, but I don't suppose I'd have got very long odds...
Is it time for a data tsar?
... don't anyone take this the wrong way, but it is rather comforting to know that bureaucrats are idiots regardless the country. I'm wondering if Prussia had the right idea, that incompetent and corrupt government officials could be tried twice for the same crime. That's against the constitution here in the US, but hey, the US government has shown repeatedly that it doesn't have to follow its own laws
Calm Down Calm Down!
So someone swiped an old backup disk to keep their p2p downloads on. Who is responsible for security on the site, the contractor or the MoD?
Corrections and assumption
1) EDS employees are not Civil Servants
2) EDS is a subsiduary of HP, obviously the HDD has been taken away by HP for auditing purposes
Civil Service Union PCS asks Govt. to protect it's members interests rather than they be made redundant and the work sent offshore, as planned by HP, on Wednesday, on Friday this loss is reported. Interesting isn't it especially with GB & Co willing to sell the UK to the highest bidder
Posted anonymously for obvious reasons
The problem is...
...EDS doesn't own any buildings, it just leases them. So, the buildings don't have any inherit or specific security. I worked for EDS on one of their "big" accounts. Every day I saw Mobiles, memory sticks, PDA's even cameras! etc on the desks of workers in full view.
Managers sent an email every-so-often to remind people about security to cover their backs, but in reallity, they're useless. Few were ever cautioned.
In Cobalt, North Tyneside, They have the DWP and MOD accounts in the same building. Yet, any Joe public can access the car park, in fact it's used as a shortcut to other places! The MOD is fairly secure as it has turnstile security, yet anyone could probably (and has) accessed the DWP by simply gate-tailing staff!
In my opinion, they should be a secure locker area where you store your coat, food, keys, mobiles etc. then enter the main office by turnstiles.
People who work there have OUR details in their hands! Not once has any laptop been searched coming in or out! In fact, I hope this doesn't give anyone ideas, a person could enter DWP and log into their system without anyone asking questions as their don't have a "vistor" area, usually someone just sat at any desk and plugged in....who the hell is he? Don't know -don't care!!!
That's EDS security.
i would suggest
if the goverment/mod cant be assed encrypting there data i would suggest that they start buying secure pen drives ( like the iorn key with built in encryption/anti-tamper tech)
so even if the drive is misplaced the data will be safe.
it seems as though the mod/goverment will never learn from there mistakes and will cary on on there merry data loosing ways
Key issues concerning the massive loss of data by British MoD.
I'd suggest there are a number of key issues to keep in mind when considering the massive loss of data by British MoD. Here's a few to begin with:
1. The data/security paradigm changes when data are moved from hard/paper copy to a machine-readable form. Most people still think of security and access in paper-based terms, not that of electronic data which is a very different animal. Had the records been stored on traditional paper-based record systems then there would have been no breach of security.
2. Data in electronic form acquires a range of new and powerful properties when compared with that of the same records stored on hardcopy/paper. For example, stealing 600,000 plus paper-based records would be nigh on impossible, but this electronic 'loss' is not even theft as far as we know--just incompetence and mishandling. Those handling or using this data do not understand this differences between the electronic data and hard copy paradigms (especially a problem in government bureaucracies). Ipso facto, if they did then this data security breach would not have happened. Unfortunately, this lack of understanding is not unique; even those in the data processing/security game have a very poorly understanding of the problem: for they usually concentrate on specific security issues and technicalities, not why or whether certain facts or information should or should not be committed to electronic storage, or what the implications are if the data falls into unwanted hands.
3. It is questionable whether certain forms of sensitive data should actually be transferred into an electronic format, especially if bound into fully collated databases (as here). If electronic records are absolutely essential then the data can be held in multiple parts in distributed databases--one part alone being useless without others. (The fact that this data is not secured and managed in such a way that its loss would be trivial ought to be of great concern. Computer science just hasn't evolved sufficiently to always guarantee security and simultaneously make it easy and foolproof to implement: only electronic encode that which is essential.)
4. Governments, control freaks and penny-pinching accountants etc.--those with a police state mentality--want all records conveniently to hand, often for very questionable reasons including very little practical justification or need. In this instance, not only have they collected and collated vast amounts of sensitive personal data and stored it in an easily 'losable' form but the very act of doing so is one of utter irresponsibility. The loss of such important data (and on such a grand scale) together with security systems that are so weak and in such disarray--to the extent that they permit such losses--has to be an act of malfeasance.
4.1 Essentially, what has happened here is that an act of treason has been committed against the 'collective of citizens' [who constitute part of the state]--those who gave their personal data on the understanding that their government would keep it secure but who failed though negligence, inter alia.
4.2 There's little doubt that this incident will be hushed up, and there will be an scapegoat or two or possibly not even that. Moreover, I'll bet it happens again sometime soon, remember this is not the first of such incidents. With Britain going to a universal ID card what would happen if Al-Qaeda or similar organization were to ever get such a file? Even a friendly power such as the USA would be only too happy to snap up such valuable data, no questions asked.
5. Whether relevant or not, Governments, bureaucrats and security services have a Nazi-like obsession in collecting vast amounts of data on citizens, and there is no obligation on those collecting it to even tell citizens that they are doing so let alone let the citizen see or review the data. Whether storing so much detail about citizens in vulnerable electronic format (such as in single but comprehensive databases) is warranted or not ought to be publicly debated, especially by those whose data it is. Again, this incident only highlights the privacy debate which isn't happening!
6. It's questionable whether sensitive data of this kind really needs to be fully collated in one location, but if it is then there should be no reason for it to ever move from that location (except to another of the same status/security for backup purposes).
7. There is NO need for any other person or entity to have this data, and--in human rights terms--NOR does anyone else have the right to the data (just on basic privacy grounds alone let alone other reasons). If contractors require data to test systems etc. then non-identifying aggregated data should be supplied. Duplicating such data without the full consent of the citizens involved should be seen as a breach of not only their privacy but also their human rights. Remember, these are no ordinary records, an enemy could use them to annihilate soldiers before they're engaged on a battlefield--the lost records could perhaps put the very security of the country at risk. Even if this loss is not a high risk then the modus operandi that let it happen will inevitably repeat itself sooner or later, and most likely when the stakes are higher.
8. Computers, through their vastly increasing processing capability, are availing governments with new and unprecedented powers by stealth, and we citizens need question and scrutinize them--if but for no other reason than our own safety. Surveillance and monitoring of the citizenry is at an all-time high and justified, as always, in the hoary old name of 'security'--an emotive word whose very use 'justifies' the excuse to quell any in-depth public debate on the subject.
8.1 This incident, and others similar, should never have been allowed to happen. Again, it proves beyond reasonable doubt that governments can and do act irresponsibly towards their citizens whilst knowing better; moreover, they continue to get away with it without necessary scrutiny and public accountability because we continue to let them do so.
Events such as this data 'loss' enable us the citizenry to gain a small insight into the creeping and inextricably increasing powers of governments and we should use every such opportunity to reign in these abuses. If we ignore them then we do so at our own peril.
In the interests of Democracy and good governance, when our governments act so deplorably it is the duty of we citizens to ensure that those responsible be held accountable, and we must insist the issues be widely and publicly debated, and not hidden and whitewashed in the name of security.
And this is all we know.....
This is a public admission of data loss. This has only been cough'ed to because it has been investigated to death first and only at the very last moment when the decleration has to be made has it come out. This is bad enough but consider that vastly more data is processed and sent without any mention of it.
Consider the operators taking database dumps, minimum paid people, frequently contractors, frequently remote......na, they never copy the data.
Once outsourcing started this was always going to be the end game. We all need to get over it, if there is acomputer record on you, you can bank on the fact it has already been leaked or lost or copied. The only thing we are worrying about is the scale and distribution of our data.
I vote for a grave stone, cus this should make the proper end of EDS. If the governemnt let them carry on as their main outsource partner now they must be mad.