IT contractor EDS has lost a hard drive containing unencrypted Ministry of Defence data.
According to press reports, the drive contained sensitive information on approximately 100,000 armed-forces personnel, plus 600,000 potential recruits.
The Ministry of Defence confirmed to ZDNet.co.uk on Friday that a hard disk had been lost by EDS, but would not confirm that the removable hard disk contained personal information.
"On Wednesday 8 October we were informed by our contractor EDS that they were unable to account for a portable hard drive used in connection with the administration of armed-forces personnel data," the MoD said in a statement. "This came to light during a priority audit EDS are conducting to comply with the Cabinet Office data-handling review. The MoD police are investigating with EDS."
EDS told ZDNet.co.uk that the disk was being held in a secure location in premises in Hampshire when it went missing, but was unable to say exactly what data was on the drive.
"We have been unable to account for a removable hard drive that was held in a secure location at our facility in Hook," EDS said in a statement Friday. "We are working with [the MoD] to investigate this, including to establish what data may have been on the hard drive. There is no evidence that security at the site has been breached."
ZDNet.co.uk understands that as the disk was stored in a secure area, under standard EDS procedures the disk would not have been encrypted. As site security has not been breached, it is thought that the probable cause of the loss was not targeted theft. However, insider petty theft and a chance that the disk could be being used elsewhere on the premises are also possibilities.
In January, the MoD admitted it had lost three unencrypted laptops containing details of 600,000 defence personnel. The MoD also revealed in July that 658 laptops had been stolen from it in four years.
Talkback
This post has been removed by a moderator.
This latest security blunder involves unencrypted disks that contain extremely sensitive information and at this stage it is not known how long the data has been lost for. Whether data was lost by the Government or a contractor, without implementing the necessary security procedures to protect data in transit, data leakage will continue, exposing thousands of innocent people to identity theft.
This incident demonstrates that decisive and effective measures still need to be taken to protect against data leakage. Although taking control of data leakage is no mean feat, any organisation holding sensitive data needs to take responsibility for establishing and enforcing device control policies that assign permissions to individuals and devices. Moreover, all data needs to be encrypted to ensure that if it falls into malicious hands it is inaccessible and worthless. It is simply no longer enough to write a computer security policy and expect everyone to follow it to the letter. This is especially true in the case of contractors - monitoring your information and knowing where it is at all times becomes much more complex when multiple parties are involved in the process.
The proliferation of data loss occurrences due to the inappropriate or sometimes criminal use of removable media devices has reached alarming levels, with no sign of abating. The only way to eliminate data loss from removable devices is to take control of the flow of inbound and outbound data from your endpoints and encrypt the data during transmission. These solutions exist today; policy needs to enforce their usage. The Government released a report into Data Handling Procedures in June 2008 addressing this issue and we are seeing isolated moves to proactive implementation of policy, such as NHS boards across Scotland injecting funding into the improvement of IT security. But, we can only ask when will all organisations start taking this escalating data loss seriously and act preventatively?
These data breaches and thefts are due to a lagging business culture. As CIO, I'm always looking for ways to help my team, business teams, and ad hoc measures of various vendors, contractors and interal team members. A book that is required reading (specific chapters, depending on nature of projects and teams) is "I.T. Wars: Managing the Business-Technology Weave in the New Millennium." It has a great chapter regarding security (among others).
We keep a few copies kicking around - it would be a bit much to expect outside agencies to purchase it on our say-so. But, particularly when entertaining bids for projects, we ask potential solutions partners to review relevant parts of the book, and it ensures that these agencies understand our values and practices.
The author, David Scott, has an interview here that is a great exposure: http://businessforum.com/DScott_02.html
The book came to us as a tip from one of our interns who attended a course at University of Wisconsin, where the book is in use; I like to pass along things that work, in the hope that good ideas continue to make their way to me. I hope you can make use of this info...