MoD admits data loss bigger than thought
The MoD has admitted that the hard drive lost by EDS contained more information, on more people than originally believed. We reported on Friday that EDS had lost the removable and unencyrpted drive containing detailed records on 100, 000 servicemen and women and names and phone numbers for 800, 000 people who had applied to join …
Is that 200 milli-people or 200 Million people? If the latter who are they, apart from the 60-odd million who live in the UK? I bet the other 140 million are even more pissed off than us Brits!
"Ainsworth said the MoD holds data records for 200m people."
Really? That's a lot of people.
Even if the MoD had data records on all the people in the UK, plus all the places we'd invaded recently, that's a lot of people.
Or do they have records on everyone in the UK since, ooh, the early nineteenth century (I'd imagine that would get close to 200m).
Or are they saying they have data on 200m people, so that when they express 1.7m as a percentage, it looks really small? Or am I just being cynical, and really they're just incompetent?
Pars, 'cos she's liable to overstating her figures....
This sort of stuff makes me mad. To demonstrate total disregard to something so basic a requirement as data protection is akin to constantly sticking the proverbial finger up. Government departments and other organisations amaze me. Why should I have any respect for them, give them any data they require on time or even answer the bloody phone from them when they show such contempt for me?
They should all hang, after all the bloody politicians have been despatched.
I see they were quick to prosecute a civil servant for leaving secrets on a train but do they prosecute a huge firm losing so much data... nah they pay too much into New Labour....
To set up a helpline for those who fear their personal details are now in Russia, or just to flipping encrypt the data in the first place?
"...the MOD is clear about the crucial need to implement wholesale improvements in how we store, protect and manage the use of personal data"
Yes, indeedy. A good decade or more after the rest of the world.
for people who think their personal details could be at risk.
Please tell me that the drive that's been 'lost' isn't the only copy of this data that the MOD have!
A helpline is NOT what's needed. They should be contacting each and every person on this 'list', and EDS should be footing the fucking bill.
Then they get SACKED!
Useless Fuckers.
The authorities are a joke. Nearly every week we hear of serious information security lapses. I'm amazed we won the cold war of old because we must have leaked like a sieve. Of all organisations, one would hope, think and expect the MOD to be secure, but apparently they aren't and they seem unable to implement the most basic of measures. Ignorance, stupidity and ineptitude appears to be rife.
How often does it need to be said? Don't store sensitive data on portable devices. Don't store sensitive data unencrypted.
Trust the government with ID cards? I wouldn't trust them with a bag of sweets!
And the current population of the UK is?
I guess buying a turkey early is one way to avoid a queue in December
El Reg babbled:
>"Ainsworth said the MoD holds data records for 200m people."
No he bloody didn't. You linked to the statement, I suppose you must have read it?
What he said was:
"We have undertaken a series of comprehensive reviews into our personal data holdings, looking wider than our personnel systems, and assess that we hold in excess of 200 million records."
If you take a wide enough view of what constitutes personal data, then it's not hard to see that one can accumulate 200 million records (the word 'record' has a specific meaning to people who understand databases) relevant to many fewer than 200 million people.
Is there anyone who hasnt had THEIR personal data given away by the Government ????
I feel as though i might as well publish all my data online at least that would be a choice i freely made.......
They always blame a contractor, well it doesnt rub with me,whoever the data is originally handed to is totally responsible for that data and without the persons explicit permission it should never have left their control/be copied etc etc.....
Its about time we saw ministers sacked over this,its now a monthly occurrence and is of more danger to the majority of the british people than any terrorist threat.
As has been said, they should personally write to all people concerned,giving all the details that have been given away, a guide to how to change your bank account if it was lost.The letter should be personally signed by the minister of defence,and the chairman of the half witted firm this contract was given too.....that should at least be a reminder to them what plonkers they are.
Let them have my personla details!
As soon as the ID Cards are rolled out to everybody, it won't matter! I'll be the only one with my REAL identity!
What, someone already has a card with that information on? He used it to do WHAT on an aeroplane?
F*ck.
The MoD have got back to us now - they hold 220m records, not 200m, and they haven't finished counting yet.
They do not know how many people this refers to - one person is likely to have several different records but they have no average figure for records per person.
the audit is due to finish at the end of the month.
I just commented on the "Home Secretary rejects McKinnon anti-extradition plea", referring to exactly this scenario.
A guy can be threatened with spending most of his life in prison for removing *no* sensitive military data - but no EDS executive will *ever* get prison time for losing gigabytes of sensitive military data.
The amount of "damage" McKinnon did was no more than what Microsoft do every 2nd Tuesday of the month, or when some 1st level tech installs SQL /IIS without patching and hardening.
The servers McKinnon browsed were unsecured and unencrypted. The EDS data should have been encrypted, and shouldn't have been put onto removable storage.
Seems to me like the EDS data loss is substantially more.
Why isn't the British Govt raising extradition warrants against the executives of EDS or HP?? Due to their employees' criminal incompetence, the lives of thousands of active or former military personnel are in danger.
Or, will they wait for some IRA/Balkan nutjob/Al Kiddie to knock off a few retired generals *before* deciding to not press charges and not extradite anyone??
No more excuses, this is the MoD FFS - if the people in charge of our military and "Official Secrets" can't keep info secure, then they should be bloody penalised! There are at least 3 heads that need to roll.
1. I/C Security at Innsworth. Whichever wuckfit is responsible for the security of a SECURE MILITARY INSTALLATION and allows any goddam numpty to lift hardware out of the building without being able to track who went in there (I have to sign my just for keys every time I go on a military site for low-risk buildings, never mind high-security areas!)
2. I/C Security at EDS. Even if the drive HAS been removed from a secure (supposedly) location, the data retrieved should be inaccessible and/or unreadable as a backup against wuckfit #1. This wuckfit should also have his job/salary/pension/testicles forcibly removed to prevent him (and future generations of him) from being put in such a position again.
3.I/C Security for the MOD. No reason why wuckfits #1 and #2 should be the only ones to suffer. Am fed up of Government departments/officials/ministers being untouchable when the brown sticky hits the white whirly. They get paid huge salaries allegedly as 'responsibility money' so that it focuses the mind to get it right. When they fail, they should be penalised by losing their jobs - risk and reward (reward for continuing to get it right, risk of losing high salary WITHOUT a golden handshake/cushy position on board of big company when they screw up). Boot a few of these buggers, maybe the rest may start to focus on their jobs more, rather than worrying which Commons bar to get sloshed in this week.
By handing this information over to EDS in the first instance?
can't the dummies use dummy data for testing? Why does it have to (our) live data all the bloomin time?
Surely you could even write a batch file for MS Dos to churn out line after line of randomly generated data with the required field delimeters etc.
Look people, stop blaming the MoD for this data loss. The hard drive was held on a secure site of a private company.
There are a whole load of regulations around storing such data and security records will have to be kept by the private company which are available for inspection by the MoD. The MoD have almost certainly discharged their obligations correctly, the problem lies with some individual within the private company.
At the end of the day, it could be as simple as an employee of EDS not returning the removable hard drive back to the safe at the end of the day, being left out on a desk somewhere.
That's not the MoD's fault.
It could have been misplaced, or it could have been intentionally removed from the building.
The only way you're going to stop that is physically search everybody every time they come and go from the building (or fasten RFID tags on all the drives and have scanners at the entrances/exits to the building).
This is not the same kind of case of taking USB flash drives, sending unencrypted CDs through the post. It's almost certain the hard drive is not routinely taken off site: it's not intended for that.
Remarks over whether the data was encrypted or not are almost certainly not an issue.
The security classification governs the rules as to how the data should be handled, stowed, transported. Encrypting the data makes that data more secure and effectively reduces the security classification and slightly less strict rules apply as to how the data should be handled.
You don't treat top secret data in the same way you treat restricted. That's the whole point of having a number of different levels of protection, you give stronger protection to the data that actually warrants it. God help us, if we had to treat all data as Top Secret, it would be unworkable.
Given that the removable hard drive ( removable, not portable, understand the difference) was in a secure environment, it's classification would have been graded appropriately, and it would have been handled accordingly. It would not need to have been encrypted, unless the drive was being handled differently: such as sending on to another secure site.
So questions of whether the drive was encrypted or not are irrelevant and not important.
Since all my databases now belong to everyone (prepared to pay for the data)... I don't suppose there is any reason left to fear the EULA agreement on service pack 3.
Don' t you find all this uninformed vitriol depressing?
The MoD has produced new guidelines for all portable CIS. Hard disks in laptops are to be fully encrypted, as are CD/ DVD optical disks and USB storage devices. If they are not fully encrypted, they are not to be removed from MoD premises. The MoD has also provided recommendations on what software and hardware solutions to use to accomplish this, the most recognisable being the package formerly known as Reflex Magnetics DiskNet Pro. The first problem is that it is now down to individual units to implement the new policy, which takes time and costs money, which in the currently climate of overspend and cost-cutting, including staff retasking and redundancy, will be a bit of a struggle for most units. The second problem is that the MoDs DII C and DII F systems, which are owned and managed by the ATLAS consortium, were implemented without any thought to the encryption of removable media and so the ATLAS consortium suddenly finds itself endeavouring to find a solution to a new customer requirement, across globally deployed systems. Of course, being designed from the ground up as a centrally managed infrastructure, this will be a fairly simple and straightforward task, as all of you experienced sys admins will be aware.
I guess that the big problem is that all this is pain in the arse for the end user who is not in the slightest bit interested in security and just wants to be able to use his memory stick on his computer. But I don' t think that issue is unique to the MoD or government.
Shouldn't this be called "data leak" instead of "data loss"? I mean, they did have a backup, did they??
