British MoD Stunned By Massive Data Loss

Master of Transhuman writes "Seems like nobody can keep their data under wraps these days. On the heels of the World Bank piece about massive penetrations of their servers, the British Ministry of Defense has lost a hard drive with the personal details of 100,000 serving personnel in the British armed forces, and perhaps another 600,000 applicants. This comes on the heels of the MoD losing 658 of its laptops over the past four years and 26 flash drives holding confidential information. Apparently the MoD outsources this stuff to EDS, which is under fire for not being able to confirm that the data was or was not encrypted."

Are they really being lost?

[argiedot]

The only time I have ever lost a device is when I was mugged and my phones were taken from me and I'm just any other person.

It should be interesting to see what the ratio of laptops lost to all laptops provided is. Maybe this cynicism is because I live in India where corruption is rampant and entire flyovers can be 'lost', but I'm a bit suspicious about this whole thing.

Also, if they're losing laptops with information at such a high rate, at what rate are they losing paper files? Surely it's harder to keep track of the 20 binders with 100 sheets in them than it is to keep track of one hard drive?

I find it hard to believe that these people are really that incompetent. Hanlon's Razor doesn't always apply.

Re:No, no, no

[Anonymous Coward]

if they run their business like who they're owned by (HP as you pointed out)

then yes, they are incompetent.

Yet another example...

[Firefalcon]

...of why we shouldn't be outsourcing critical/sensitive data handling. Yes, Government departments can cock-up enough without external help, but so many of these data loss issues at the moment seem to be the fault of a private company they've outsourced to.

Also, I worry about the outsourcing of anything relating to our Country's security. When you give the job to the lowest bidder, what can you expect but a barely adequate service?

Re:No, no, no

[Anonymous Coward]

Different AC here, but that list of clients look familiar. I'm sure half of them have been on slashdot about lost data or poor security standards at one point or another in the last year yes?

Re:Are they really being lost?

[somersault]

It was standard practice for our head of accounting to take our backup tapes home for a few years. This year I saw some of our tapes just lying out in plain view on the passenger seat of his car, so I politely showed him a couple of stories about data loss when tapes were stolen from cars, and have been taking the tapes home myself now..

Re:No, no, no

[jeremyp]

EDS has been responsible for quite a number of screwed up Government IT projects in the UK. Somebody at the MoD was responsible for giving the data to that incompetent shower.

Re:No, no, no

[Anonymous Coward]

Heh, I just remembered, I've dealt with EDS before.

I had to fix something for them. A consulting gig of some sort (I don't recall) the customer, or partner or them, called us up because we fix other consultants screw ups.

EDS is incompetent. (In my limited experience)

Re:No, no, no

[Gordonjcp]

EDS used to have a facility in Livingston (basically right in the middle of Scotland) where they printed welfare cheques (photos of the abandoned plant here [28dayslater.co.uk]). This closed down when they went to paying by BACS or similar. Anyway, according to a couple of people I know who were hired by contractors to clear all the media and computers from the site, there were quite a few highly unsavoury types handling not just storage devices and backup tapes, but also paper records while the building was being cleared. No background checking, nothing.
What utter fucktards.
(incidentally, posting this showed up an oddity of the URL parser - if the URL wraps so there's a space between 'href="' and 'http" then it breaks, big time.)

Re:Government Incompetence?

[BenEnglishAtHome]

what kind of tricky stuff are you doing to detect full-disk encryption on any machine that touches the network?

I don't know. I'm on the receiving end of those alerts, so I know they happen. Exactly how, I'm not sure. Our logon scripts do all sorts of stuff, including automatically installing updates to vertical apps, so checking for full disk encryption wouldn't seem to be too hard a task. I know there are certain files on the machines that do not exist until encryption has been installed and fully enabled. I assume that looking for them would be trivial. But that's just a guess.

To show you how tight our scans are, we had a contractor who plugged a personally-owned USB key into his IRS-issued laptop. It contained some basic maintenance tools as well as some network monitoring tools. He wanted some simple utility, I forget which one, and instead of asking for it through channels he just plugged in his copy. Literally *5* minutes after he plugged in the key, his machine was deleted from the domain and his personal identifier was wiped from all systems, just like we do when someone is fired. 5 minutes after that, his boss got a call from our security office explaining that the employee was being reviewed for termination. The boss explained that he was a good guy, new to the organization, just made a mistake, and asked for some slack. Ultimately, the guy got a two-week suspension and then had to re-build everything (system access permissions, etc.) as if he were newly hired.

I really don't question the notion that our monitoring does a good job of catching any funny business.

And more importantly (assuming that this requires a boot-time password; I've never bothered with any serious encryption), do you have something that detects the sticky note on the bottom of the laptop with said password?

This is one of the areas where we take a notably sensible approach. Our security rules that each person must sign and obey do NOT prohibit writing down passwords. It's officially discouraged but not prohibited. We take the attitude that as long as that list is protected, like people protect their ID card, door key card, and credit card, there's no problem.

Nobody puts a sticker on the bottom of their laptop or keyboard. We have constant security inspections, usually after hours, and doing crap like that gets you disciplined severely.

I wont go into excess detail (which, by itself, would be a violation of our security rules) but suffice it to say that if you wanted to steal and get data off an IRS laptop, you'd have to mug the user, get their password list, know their internal ID (which no one writes down because we use it constantly) then mug a different person with local machine administrator credentials, get logons and passwords from that person, then know exactly where to type all of them in without making more than three mistakes to lock up the machine.

The only people who could successfully get information off our laptops would be our admins. But we can get to that stuff internally, already, so that's not a realistic threat.

Realistically, the only thing a thief can do with a stolen IRS laptop is wipe it, install an OS, and use it.

Re:No, no, no

[mpe]

EDS lost a hard-drive, belonging to the MoD. Had to get that in before the "Government is intrinsically incompetent" posse got here.

Maybe instead of paying 12 billion quid to spy on the British public it should instead be used to spy on EDS...

EDS, a privately owned and run subsidiary of Hewlett-Packard, subcontracting to the MoD, were responsible for the security of this drive, and they, not anyone at the MoD did the losing here.

WTF was the MoD doing letting this data near any foreign company? At the very least whoever agreed to this should be prosecuted under the official secrets act.