Ministry of Defence reports more than 1,500 data loss incidents in the last five years

News by Dan Raywood

More than 1,500 incidents of the loss of confidential or personal data have been reported by the Ministry of Defence in the last five years.

More than 1,500 incidents of the loss of confidential or personal data have been reported by the Ministry of Defence in the last five years.

In a wash-up debate in parliament last week, Angus Robertson, Scottish National Party MP for Moray, asked Bill Rammell, Minister for the Armed Forces, how many incidents of the loss of confidential data held by his department have been reported in each of the last five years, and in each of the last 12 months.

Rammell confirmed that a total of 1,705 incidents were reported between 2005 and 2009, with a high of 1,099 in 2008. He said: “The Ministry of Defence (MoD) takes any attacks on, or misuse of, its information, networks and associated media storage devices very seriously and has robust procedures in place to mitigate against and investigate such occurrences.

“Furthermore, new processes, instructions and technological aids are continually being implemented to mitigate human errors and raise the awareness of every individual in the department with regards to cyber security.”

In its defence, the MoD said that ‘in a number of these cases the documents were historical and so the original protective marking would have been eligible to be considered for downgrading' and would reduce any risk of compromise.

As to how they were discovered, it said a number of these incidents came to light as a consequence of thorough housekeeping activities and revised MoD data management practices. It also said that it was likely that a large number of instances relate to records of the destruction of documents not being accurately maintained, rather than documents actually having gone missing.

It said: “The surge in reported incidents from 2008 is largely attributable to two factors. Firstly, there is an increased awareness of the need to report data loss across the Department. Secondly, since the publication of the Data Handling Review and Burton Report, the MoD is now auditing its holdings of both personal data and removable media.

“This has identified a number of instances where the location of data could not be verified and has therefore been reported as a possible loss-even though in many cases they may have merely been unaccounted for or incorrectly disposed of.”

Chris McIntosh, CEO of Stonewood, said: “While this answer demonstrates that there have been a large number of data losses, it does not tell us anything about the severity and consequences involved, which are undoubtedly of much more importance.

“The armed forces need to strike a delicate balance between keeping data secure and quick to access, especially when in the field. By making sure that all data is encrypted at all times, personnel will be able to access and make use of it when necessary, while also having the peace of mind that, in the event of a loss, all that will fall into the wrong hands is essentially meaningless data.

“As long as solid encryption is in place and any data loss is correctly recognised, reported, reacted to and learned from, then the MoD can give their personnel access to the data they need and ensure that any loss will be as close to inconsequential as possible.”

Dave Everitt, general manager (EMEA) at Absolute Software, said: “Another day, another data loss reported, this time in its hundreds by The Ministry of Defence. What's most alarming about blunders such as these is that no one knows for sure which data has been lost and how the losses have occurred.

“It's crucial for organisations to understand the importance of knowing where your data is at all times. It might sound obvious, but IT departments need to be managing and monitoring all devices on a daily basis. They need to be certain they have complete visibility over who is using which device, especially as organisations are operating with greater mobility, which increases the risk of data loss.

“Getting the basics right means that if the worst happens, organisations know exactly what devices to shut down and what data is likely to be at risk. It is the ability to then delete, track and even recover the data that will put IT back in control of its assets and save the reputation of the organisation.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews