MoD Reported 7 Serious Data Losses To ICO

The Ministry of Defence has disclosed that in a one year period, it suffered 7 serious data loss incidents which were reported to the UK’s Information Commissioners Office (ICO).

The MoD admitted the personal data blunders in its Annual Report and Accounts 2020-21 (page 113), which showed that the data losses impacted a total of 4,331 people between April 2020 and March 2021.

The MoD also internally recorded another 552 data incidents (mostly unauthorised disclosures), but these incidents were “deemed by the Data Controller not to fall within the criteria for reporting to the ICO.”

Data compromises

“An incident is defined as a loss, unauthorised disclosure or insecure disposal of personal data,” said the Ministry of Defence report.

“Protected personal data is information that links an identifiable living person with information about them which if released, could put the individual at risk of harm or distress.”

“The definition includes sources of information that because of the nature of the individuals or the nature, source or extent of the information, is treated as protected personal data by the Department,” it added.

“Those incidents reported to the Information Commissioner’s Office (ICO) are all notified via the MOD Security Incident Reporting Scheme (MSIRS),” it said.

So what types of data losses happened during that one year period?

On 20 May 2020 for example, “an individual emailed personal data to external organisations and international media outlets,” that revealed the “identity and home addresses of (147) MoD personnel.”

Two data incidents took place on 20 July 2020. The first saw “images from an incident logbook were posted to social media,” which revealed “details of the individual, the injury sustained and how it occurred.”

The second incident on that day saw “documents prepared for court were not correctly redacted. This disclosed the identity of several individuals (actually 5) involved in a court case.”

Then on 20 September 2020 “an individual posted documents to a closed social media group,” that revealed the “details of cadets and adult volunteers (30).”

On 20 October 2020 “an unredacted copy of criminal allegations was incorrectly passed to the accused in an administrative action,” revealing the “identity of the victim and witness statements (5)”.

On 21 January 2021 a “member of the public’s question to their MP was accidentally uploaded to the House of Commons website,” which revealed their “name, location and details.”

But the largest disclosure of personal data took place on 21 February 2021, when “an email account associated with MOD Schools was compromised for 72-hours.

This revealed the “details of (4,142) students and parents.”

Lost devices

Data losses and the MoD do happen on a regular basis, it seems.

Last October the Mail on Sunday reported on a cut-and-paste error, when secret plans for a suite of enhanced weapons, potentially for use by Britain’s Special Forces, were posted to an unidentified Government website.

Details of research into the next generation of munitions appeared to have been safely redacted in a document marked ‘Official Sensitive’, the Mail reported.

But unfortunately, a simple copy and paste of the text, reportedly revealed every blanked-out detail.

But during the April 2020 and March 2021 period, the MoD said that among the incidents not reported to the ICO, it had suffered 27 losses of “inadequately protected electronic equipment, devices or paper documents from secured Government premises.”

It also suffered 7 losses of “ inadequately protected electronic equipment, devices or paper documents from outside secured Government premises.”

There were two cases of “insecure disposal of inadequately protected paper documents,” and 479 cases of “unauthorised disclosures.”

Although alarming, this is a much better performance from the MoD than in previous years.

In 2008 for example, the MoD admitted it had lost an entire server from an apparently secured government building, as well as the loss of 1.7 million individuals’ personal data.

Expert reaction

Experts were quick to react to the MoD admissions about the data compromises and device losses.

“Our courageous soldiers, sailors and air force personnel are willing to sacrifice their lives – often working under cover and in extreme conditions – so we can live in safety and freedom,” noted Donal Blaney, founder of Griffin Law.

“The least the Ministry of Defence could do is keep these brave heroes’ personal data safe and secure,” said Blaney. “Instead, their identities, and potentially the safety of their families and friends, have been put at risk by superannuated MoD pen pushers… ”

“The Information Commissioner needs to investigate these breaches and bring those responsible to justice,” Blaney said.

Greater visibility

Another expert said the MoD disclosures shows the need to provide the right training to staff, and provide security teams with the needed visibility to respond quickly to incidents.

“People are handling more data than ever before, and with that comes the inevitability of human error,” said Tim Sadler, co-founder and CEO of Tessian. “Mistakes happen and, unfortunately, they can result in serious incidents which compromise data security and privacy.”

“For example, emails being sent to the wrong person continue to be one of the leading causes of data breaches today,” said Sadler. “Organisations, therefore, must have security measures in place to prevent people’s mistakes before they turn into data breaches, and they must find ways to support staff who have access to large amounts of valuable or sensitive data to lower the risk of regulatory violations.”

“It is critical that employees are given the training they need to make the right cybersecurity decisions and that security teams have greater visibility to respond quickly to incidents as and when they happen,” Sadler concluded.