MoD blunders put lives at risk
Sixteen serious security lapses in Northern Ireland lead to calls for urgent review
Serious security lapses within the Ministry of Defence which could have put the lives of hundreds of Northern Ireland staff at risk have been revealed.
A catalogue of incidents involving the loss or unauthorised accessing of sensitive files and data has occurred in the Northern Ireland in recent years.
In some cases laptops and memory devices, potentially containing details of hundreds of employees, went missing or were accessed.
It has prompted calls for an urgent review of security, amid claims that lives could be at risk if sensitive information falls into the wrong hands.
The security lapses include:
- A CD containing “sensitive intelligence summaries” and personal details of MoD staff went missing;
- A ministry laptop — still bearing its MoD operations stickers — which was accidentally donated to a charity shop;
- A memory stick containing training information and members' details which was found by a member of the public — who then attempted to sell it on;
- And information sent to around 3,000 Northern Ireland service veterans in envelopes which identified them as ex-military staff.
Ulster Unionist MLA Ross Hussey, who is a member of the Policing Board, described the blunders as appalling.
“One incident is one too many, particularly when it involves anything to do with personal security, and especially so in Northern Ireland where we have a high dissident threat,” he said.
“Any information that could fall into their hands could lead to someone losing their life, so it is of major concern to see incompetence of this type.”
Details of data security breaches were released to this newspaper by the MoD following a Freedom
of Information request. According to the documents, 16 data breaches have been investigated in the last four years.
In some cases, a single incident could have involved dozens of individuals.
One of the most alarming losses was a “confidential” disk containing “sensitive intelligence summaries” and personal details of MoD staff.
It is still unclear if the item — which went missing in May 2008 — was ever recovered. In a second serious incident, a laptop — with its MoD sticker still attached — was handed to a charity shop. Once the error was realised staff dispatched an employee to collect it again.
A computer processor belonging to the MoD was also handed in to police by a member of the public.
And in a fourth case, an unencrypted USB data stick was mislaid — but wasn’t reported lost for nearly seven weeks. Mr Hussey said the incidents were “very concerning”.
“When you hear of the Ministry of Defence, you would think security would be high on their agenda,” he added.
“Any department that is going to sell or donate a laptop should ensure all records are cleared from it. The fact that it wasn’t smacks of incompetence.
“Where equipment with secure information is left behind, that also smacks of incompetence.
“The fact that this involves both national security and personal security causes me major concern.”
An MoD spokesman said it took any loss or theft of communication, information and data very seriously.
“We have robust procedures in place to mitigate against such occurrences,” he said.
“Our challenge remains to reduce the number of such incidents and we work hard to minimise the impact of the loss of information by ensuring that devices are encrypted.
“Where encryption is not possible we ensure that additional security measures are in place.
“Processes, instructions and technological aids are continually reviewed, revised and implemented to mitigate human errors and further raise the awareness of every individual in the department of their vital role protecting MoD information and assets.”
Lost files, missing laptops and computers found by the public
Sensitive intelligence summaries lost
A CD marked ‘confidential’ and containing sensitive intelligence summaries and the personal details of MoD staff was lost. The theft was reported on May 18 2008. An investigation was launched into the incident, but no sanctions were imposed.
MoD computer found by public
A computer processor belonging to the MoD was handed in to police by a member of the public. The processor was password-protected, preventing further access to the database. According to the incident log, help was requested to “ascertain the likely damage that could have been caused”.
Laptop mistakenly donated to charity
The Ministry was informed that police had been handed an MoD laptop which was donated to a charity shop. The Fujitsu laptop, which was five to seven years old, still had its MoD operations sticker attached. In a sign of the panic the incident caused, the log reported how the MoD had been told it could collect the laptop and had already dispatched an individual to do so.
Laptop goes missing
A muster of all laptops and handheld computers was carried out. One laptop signed out against an employee at RAF Aldergrove remained outstanding. After initial searches and cross-checking of documentation, the laptop remained unaccounted for. The item was classified as ‘restricted’ and reported missing in March 2009.Since then, new accounting procedures were implemented.
Unencrypted laptop is stolen
A laptop which was not encrypted — and had only a Windows password — was reported stolen. The contents of the device included an email relating to the sale of MoD land, although no personal details were included.
Attempt to sell USB stick
A personal USB data stick was lost by a member of the Royal Naval Reserve while visiting colleagues in Belfast for a social event. The stick was subsequently found by a member of the public who attempted to sell the contents to a newspaper.
According to the log, the USB stick contained a variety of files including old restricted training information and details of Royal Naval Reserve members.
‘Secret’ mail opened
A courier service received an envelope, marked ‘secret’, which had been opened in transit. It was later established Royal Mail had opened the envelope as the address on the outer envelope could not be read. Once Royal Mail identified where the letter originated from, they contacted the MoD.
Mail shot identified service veterans
A mail shot was sent out to service veterans enquiring if they wanted to sign up to a “club together” discount scheme. The envelopes clearly identified the recipient as a service veteran and were sent to Northern Ireland without being “double bagged” – put inside an unmarked envelope – contrary to normal procedures.
Laptop stolen during burglary
A break-in was discovered at an office connected to the MoD in Northern Ireland. A chair had been moved to the window to aid the escape and the laptop and case had been moved from the centre desk. An encryption key and 3G password were left behind. A criminal case into the break-in is continuing, the log states.
USB stick with young people’s details goes missing
A USB data stick was reported lost. Although the item went missing on August 9 2010, it was not reported lost until September 24 – nearly seven weeks later.
According to the incident log, the USB contained the names of young people connected with community development work. The stick was privately owned and not encrypted.
The device was used by a civilian member of staff currently on suspension for issues not related to the incident.