The Ministry of Defence has admitted that 658 laptops have been stolen over four years, with another computer stolen last week in Liverpool.
A spokesperson said that the ministry banned unencrypted laptops leaving secure sites without a strong reason in January, and that the laptop stolen on Merseyside was encrypted.
The ministry owns around 35,000 laptops — 13,000 having full-disk encryption, 10,000 having partial-disk encryption and 12,000 being unencrypted. As of January, those without full-disk encryption cannot leave secure Ministry of Defence (MoD) sites without "a strong operational reason" and a waiver from the department's senior information risk owner.
"The MoD is currently carrying out a programme to equip 20,000 existing laptops with full-disk encryption," the spokesperson added. "So far, some 10,000 of these have been encrypted. The remaining 2,000 laptops not covered by this programme without full-disk encryption are being taken out of service."
In a written parliamentary answer on 17 July, 2008, the MoD said that 747 laptops had been stolen from, or lost by, staff since 2004. Earlier this year, it had said that only 347 had been stolen in that time.
The revised figures show that 658 laptops were stolen over four years, although this trend appears to be downwards: 272 were stolen in 2004, 130 in 2005, 155 in 2006 and 101 in 2007. The number of laptops lost totalled 89, with 22 lost in 2004, 18 in 2005, 27 in 2006 and 22 in 2007. Of the 747 lost or stolen, 32 were recovered.
"Revised figures have been taken from the data collated in the course of the investigation into details of computers and other electronic media lost [or] stolen since 2003 and provided to Sir Edmund Burton as part of his review," said defence minister Des Browne in his answer to Mark Pritchard MP, referring to the MoD's review of information security.
"For all years, they show an increase in the number of stolen laptops from the numbers previously reported… because the Burton Review investigation revealed anomalies in the reporting process," said Browne.
The MoD said it is undertaking other work to address the weaknesses in data protection identified by Sir Edmund's report, in three main areas:
- Named individuals in each business area are to be made accountable for the protection of personal data
- More central guidance on the subject is to be provided
- A central data-protection-compliance monitoring unit will be created
The MoD spokesperson added that a system of "censure and punishment" will be formalised for those who lose or compromise personal data, with punishments reflecting scale and seriousness, and taking into consideration whether the person responsible was military or civilian, government employee or contractor.
"The Burton Review found that there are also cultural issues relating to data security. As a result, our action plan includes an awareness and education campaign," the spokesperson added.
Last week, the MoD also released figures showing it had lost 87 data-storage devices holding classified data since 2004.
"It seems that this government simply cannot be trusted with keeping sensitive information safe. It is frightening to think that secret MoD information can be lost or stolen," said Sarah Teather, the Liberal Democrat MP who asked one of the parliamentary questions.
Talkback
It is frightening that laptops can be lost (mislaid or stolen) in such quantity or at all. While laptops are very nice I tend to wonder how many office based MoD staff actually NEED a portable computer to properly carry out their normal duties at their place of work. I can understand that military field units will have such need but not base personnel.
Review of need coupled with severe penalty and cost re-imbursement, regardless of status or rank, for laptop loss might well help to curtail the laptop disappearance.
It might also reduce the cost to the taxpayers, a matter of prime importance while the MoD cannot properly equip the soldiers in the field.