MOD Admits Losing An Entire Server

The Ministry of Defence has published details of its data loss incidents for 2008 – which include the loss of an entire server from an apparently secured government building, and the loss of 1.7 million individuals’ personal data.

As part of its Annual Report and Accounts document published this week, the Ministry of Defence is obliged to list any serious data breach incidents over the last 12 months. While details of some of the incidents have been reported already, collecting the information together provides a summary of the various ways information security has been subverted in the MOD over the last year.

The incidents include one entry listed as occurring in September 2008 when it was apparently discovered that ” a server was missing following the closure of a secured government premises”. The report also goes on to provide details of the data which is described as “names, addresses, details and service number [sic] or National Insurance number [sic] and medical records relating to around 700 individuals – 200 of which are reported to be active records. The police were notified of the incident, the MOD reports.

The most infamous data loss incident in the report happened in October 2008 when a portable hard disk containing personal data of some 1.7m individuals went missing from the supposedly secured office of a contractor. Although not named in the MOD report, the contractor was reported at the time to be EDS and the personal information related to individuals interested in joining the military rather than serving personnel. The report lists the action being taken after the incident as: “APACS contacted with details of 16,000 bank accounts that could have been affected. Police notified. Helpline established to answer enquiries.”

For its part EDS said in a statement at the time that it was “unable to account” for the hard drive but that there was “no evidence that security at the site has been breached.”

As well as listing missing or potentially stolen data, the report also records an incident in August 2008 when a MOD computer apparently suffered “catastrophic failure” and “back-up failed”. The data was apparently medical records of around “1150 servicemen and their dependents”. The action taken was to notify those concerned and recreate the records manually.

Commenting on the incidents, the MOD states that it has improved its policy and approach to information security in light of the Burton review.

“The department has made good progress implementing the recommendations of from the Burton Report. Forty-one of the 51 recommendations have been achieved. Significant progress has been made against the remaining 10,” the MOD report states.

Unfortunately for the MOD, the Burton Review was actually conducted in April 2008 in response to the loss of a laptop containing 600,000 people’s details and before the EDS portable hard disk incident relating to 1.7m people.