Secretary of state for defence Des Browne has admitted that the laptop lost by the Ministry of Defence containing details of up to 600,000 defence personnel was not encrypted, and also that services personnel have previously lost two more laptops containing similar unencrypted recruitment information.
In a speech to Parliament on Monday, Browne said that Ministry of Defence (MoD) procedures for safeguarding data had not been followed in the case of the laptop stolen this month.
"This is an extremely serious matter. The MoD has clear systems in place — they ought to have been respected," said Browne. "It's clear that the database files were not encrypted and that the shortcoming is in the security training of the relevant staff."
On 9 January, the unencrypted laptop was stolen from a recruiting officer's car which had been left overnight in a car park in Edgbaston, Birmingham. Browne said he was told on 14 January that the information was not encrypted, at which point the MoD took the "immediate precaution" of securing all further laptops held by recruitment officers.
The information on the stolen laptop included 3,700 people's bank details, as well as other data on up to 600,000 people, including their names. Approximately 153,000 people also had data including addresses, passport details, national insurance numbers, driver's licence details, doctors' addresses and National Health Service numbers compromised, said Browne.
Democratic Unionist Party MP William McCrea said that the security risk to recruits in Northern Ireland had been increased as a result of having their personal details compromised.
Browne said he was fully aware of the security risk to the military personnel involved, having been a minister in Northern Ireland.
"I'm absolutely certain some people [have been] affected in Northern Ireland — they will receive a letter if they are," said Browne.
Steps had been taken to keep the intelligence services and the Information Commissioner's Office informed throughout the episode, said Browne, adding that the risk to service personnel would increase if the information "fell into the hands of extremists". Lieutenant General Sir Edmund Burton, who advises the government on information assurance strategy, has been appointed to look into the incident and produce a report.
Browne also gave details concerning the two other unencrypted laptops lost by recruiting officers: a Royal Navy laptop was stolen in Manchester in October 2006 and an Army laptop was stolen from a recruiting office in Edinburgh in 2005. Neither laptop was encrypted.
"The data on none of these three laptops [was] encrypted," said Browne.
Browne expressed support for the Royal Navy chain of command, as it considers taking "appropriate action" against the officers concerned. However, Liam Fox, shadow defence minister, said that the loss of the laptops pointed to systemic failure within the MoD.
Read this
Leader: Government at a loss over data security
You can't steal IDs you can't read and aren't there. Is this so hard to understand?
"This gives a damning picture of MoD incompetent mismanagement," said Fox. "This seems a systemic failure, not a single act of incompetence or irresponsibility. What on earth is going on? How much information on service personnel is out there? This government has shown a cavalier approach to the confidential information of UK citizens."
Fox added that this "dreadful mess" was potentially more damaging than the HMRC data loss, as the sensitive information was known to have been "stolen by a criminal".
Labour MP Andrew Miller said that he was "deeply concerned" that the lack of reporting of these incidents "may well constitute officials having broken [data-protection] law".
The Information Commissioner's Office, which is charged with enforcing data-protection laws, said that it would investigate the incident.
"This latest incident is a stark illustration of the potency of personal information in a database world," said Richard Thomas, the information commissioner, in a statement.
"The volume of information in this case is significant and I am concerned about the sensitivity of some of the information contained on the laptop and the fact it pertains to military personnel. But this is not just about security. We will need to know why so much information on so many people was held on a laptop and whether any of it had been retained for too long. We will require satisfactory answers from the MoD and a firm assurance that steps have been taken to improve data-protection practices before deciding on the appropriate action to take," Thomas added.
More than 500 laptops have been lost or stolen from the MoD since 1998, according to opposition MPs.
