Personal details of 100,000 members of the British Armed Forces have been lost

10 October 2008

A computer hard drive containing the personal details of approximately 100,000 members of the Armed Forces has disappeared. The information includes bank details, dates of birth, passport numbers, addresses and telephone numbers.

The disk was being held by EDS, one of the UK Government's main contractors, and an investigation is under way.

Andrew Clarke, senior vice president, International, Lumension Security comments: “This latest security blunder involves unencrypted disks that contain extremely sensitive information and at this stage it is not known how long the data has been lost for. Whether data was lost by the Government or a contractor, without implementing the necessary security procedures to protect data in transit, data leakage will continue, exposing thousands of innocent people to identity theft.

“This incident demonstrates that decisive and effective measures still need to be taken to protect against data leakage. Although taking control of data leakage is no mean feat, any organisation holding sensitive data needs to take responsibility for establishing and enforcing device control policies that assign permissions to individuals and devices. Moreover, all data needs to be encrypted to ensure that if it falls into malicious hands it is inaccessible and worthless. It is simply no longer enough to write a computer security policy and expect everyone to follow it to the letter. This is especially true in the case of contractors - monitoring your information and knowing where it is at all times becomes much more complex when multiple parties are involved in the process.

“The proliferation of data loss occurrences due to the inappropriate or sometimes criminal use of removable media devices has reached alarming levels, with no sign of abating. The only way to eliminate data loss from removable devices is to take control of the flow of inbound and outbound data from your endpoints and encrypt the data during transmission. These solutions exist today; policy needs to enforce their usage. The Government released a report into Data Handling Procedures in June 2008 addressing this issue and we are seeing isolated moves to proactive implementation of policy, such as NHS boards across Scotland injecting funding into the improvement of IT security. But, we can only ask when will all organisations start taking this escalating data loss seriously and act preventatively?"

Print version | email this to a friend Email to a friend | View other articles