According to the BBC programme Who’s Watching You?, some 500 files with details of affairs, debt and drug use were lost in the theft of hard drives with data on tens of thousands of personnel from RAF Innsworth in Gloucester, UK, last September. At the time, the MoD failed to inform the public that the files contained sensitive, personal, vetting data, which could leave current and former service personnel, and the MoD, open to blackmail.
An internal MoD memo on the data loss incidence shown to the programme revealed that the lost RAF vetting files included “details of criminal convictions, investigations, precise details of debt, medical conditions, drug abuse, use of prostitutes, extra-marital affairs including the names of third parties”.
Such information could provide “excellent material for foreign intelligence services and blackmailers”, according to an unnamed wing commander quoted by the BBC.
The MoD said it had spoken to those affected by the data loss and that “there is no evidence to suggest that the information held on the hard drive… has been targeted by criminal or hostile elements.”
Portable devices always a risk
Paul Davie, founder and chief operating officer at Oxford-based database control company Secerno, told Infosecurity: “It is highly likely that whoever stole these USB disks did so without realising the value of the data they stole. The disks were simply a commodity item, probably worth less than £100 each – good for storing the kids’ pictures on the laptop at home. This being the case, they were probably reformatted and sold on with no real loss of data. Except...
“... it is hard not to be completely paranoid about the loss of sensitive military-related data. The implications are huge, obviously. Even if the disks are one day recovered – and that now seems unlikely after so long – the data on them has to be viewed compromised. All of the sensitive data on those disks has to be assumed to be in the hands of the wrong people – enabling potential blackmail and identity theft. It has a profound impact on the people whose data was stolen and on everyone they now deal with. I find the cost to the MoD of dealing with this aspect of the loss unimaginable.”
Davie said it is highly unlikely that this was an external theft as the hard drives were kept in a ‘secure area’ on a RAF base, although he also questions why any RAF personnel would “risk their careers to steal three low-cost hard drives”.
“The BBC reported last year that the MoD lost 121 USB sticks and more than 650 laptops over the period 2004-2008. Short of putting tracking devices in each one, this will continue to happen unless a ‘secure area’ really means a bank-style vault with appropriate security sign-out and monitoring procedures”, Davie said.
“The data was so incredibly valuable – so you would think it had to have been encrypted. Yet the sad fact is that it probably was not. Encryption of sensitive data at rest should be a minimum precaution, but it is a measure more respected in principle than practice
“It comes down to this – the casual theft or accidental loss of small devices is inevitable. Appropriate security measures around the data on them are therefore essential”, Davie concluded.