The civil servant responsible for the loss has been suspended by the Cabinet Office, and Home Secretary Jacqui Smith is now facing demands for an official enquiry.
According to BBC reports, the two documents were marked “UK Top Secret: for UK/US/Canadian and Australian eyes only”; the first of which was commissioned by the Ministry of Defence on Iraq’s security forces, and the second of which was entitled, ‘Al-Qaeda Vulnerabilities’.
The papers were taken out of Whitehall by the official, who is described as a senior male civil servant working for the Cabinet Office’s intelligence and security unit, and left in an orange cardboard envelope on the seat of a Surrey-bound train from London Waterloo on Tuesday 10 June.
A full-scale search was launched by the Metropolitan Police once the documents were reported missing.
A spokesperson for the Cabinet Office said: “Two documents which are marked as ‘secret’ were left on a train and have subsequently been handed to the BBC. There has been a security breach, the Metropolitan Police are carrying out an investigation”.
Conservative and Liberal Democrat representatives have backed calls for an enquiry. “It beggars belief that the government could have scored such a devastating own goal on the very day it was pushing draconian counter-terrorism laws through parliament”, said Chris Huhne, home affairs spokesperson for the Liberal Democrats.
Steve Browell, general manager of the European security division for Bell Micro, believes that having such sensitive information on paper is a big mistake. “It is concerning that sensitive information of this type still needs to exist on paper. In that form it is so easy to copy and to lose. Technology exists today to store and encrypt this data, audit its access, track its transmission, prevent it being printed, and even remotely wipe it from portable devices in the event of loss. It is surely time to embrace the digital age and hold information of this type electronically”, he argues.
Paul Davie, Founder of Secerno, is shocked at the severity of this data breach. “The fact that this person felt it appropriate not only to take such papers out of a secure office, but then to read them on a train is scary enough in its own right. Presumably the individual was acting under severe work pressure, as his/her actions must have broken internal guidelines”.
Davie says that putting the right technology in place to prevent security breaches is only half of the battle. “Security is half technology, half behaviour. All branches of central and local government are taking data security seriously and upgrading their technology base to keep up with a rapidly changing external threat landscape. Similarly, all branches will have detailed and regularly reviewed security policies”, he acknowledges.
“But these technologies and policies can only work effectively when there is a strong culture of security embraced by the organisation, influencing automatic human behaviour by all. We saw the same issue at HMRC last year – technology and policies made redundant by human behaviour. The huge worry here is that the security culture at these organisations is a bar set way too low”, Davie concludes.