Agree with Halo - we could load up the bus every week. Quite simply, many of those entrusted with the data, neither understand the risks and are ignorant in terms of data security. Not made any better, by the multiple layers of contract responsibility, that the government has no sanction over.

Best brush up on Symbian.

Now are the MoD going to pay to have all my details changed?

Passport
Driving Licence
Bank
National Insurance Number
Insurance- PAX
CILOCT

All of which can be used to obtain services and money by deception. Thereby robbing me off my money. Or is ahmed the local islamic terrorist going to start visiting peoples homes and spreading the love. Or is my money going to end up in bangladesh. All the time and effort I do keeping my identity a secret to prevent fraud has been wasted. Doesnt the MoD have a duty of care to prevent my details getting into the wrong hands.

So as I understand the entire armed services personal information may be in the hands of future and present enemies. Brilliant!

I hope MI6/5 are enjoying their morning coffee, Because everything they are here for has been completely wasted.

Well at least my pin number is secure........

Any duty of care cases that cost the MOD money will be picked up no doubt by the MOD while EDS/HP wash there hands of the whole affair...

or am i just being a cynic again...


the only reason this got discovered was because they were finaly being forced into a full audit, FFS.

Well what are we worrying about? It's bound to be ok.

Playing devils advocate here for a minute.....

A spokesman for the MoD said: "On 8 October we were informed by our contractor EDS that they were unable to account for a portable hard drive used in connection with the administration of Armed Forces personnel data.

"This came to light during a priority audit EDS are conducting to comply with the Cabinet Office data handling review. The MoD Police are investigating with EDS."


EDS were carrying out an audit regarding Data Handling, a portable device by its very nature is exactly that and as such should not be being used for handling sensitive data when there are other more secure means.

However, having been involved in IT within the forces, I have seen more MoD/Forces people using portable devices than I have Contractors, partly because Contractors tend to work on only 1 system where as the MoD/Forces personnel do work across multiple systems so would suggest until investigation is complete we dont hang the messenger before we know he did it.

Just my opinion

I am an IT contractor and have worked on MOD, Police & Government sites on various projects. Data handling procedures are laughable within these organisations and from what I have witnessed the majority of lost data cases come from their own staff which are then brushed under the carpet. Civil Servants appear to have a different work mentality than personnel from the private sector.

Yes, contractors do seem to take all the hits these days but part of the blame can down to project deadlines. Many a time I have taken data off site to continue the work at my hotel or over the weekend in order to get the project cracked within the require timeframe. It would be so easy to misplace an 8gb flash drive with the likes of a UK ANPR database on sitting on it. Yes, we all talk of encryption but this is very rarely implemented due to adding an extra amount of mouseclicks to the task at hand. As all IT bods will know, the less mouseclicks the better.

The data could be signed over from a civil servant but this never happens either. Contractors will always have root access to any system they are working on and then its just a case of insert flash drive, right click, copy, paste - bam > nice big database to take home with me.

Err....Thats why I have spent the last few weeks fitting encrypted drives into laptops.

Slightly off topic...

Does anyone know the MOD’s policy on stolen laptops?

For as little as £50 a laptop can be upgraded to track the physical location of a laptops MAC address the next time it connects to the internet, commands can also be sent to instruct the BIOS to format the HD.
Laptops with internal web cams have the option to take pictures of the thief.

Is this system in place with sensitive laptops?

This raises the question of why the hell they needed to use live data in order to test computer equipment

Web cam on a secure laptop? I think CESG and DSSO would have a collective cardiac arrest at that idea

Maybe EDS should have a name change?

ED(N)]S Every ones Data NOT Secure

There is no reason at all why you need live data to test software.

The whole point of having a test environment and a user acceptance environment is that you can use any data size you want and anaonymise (is that a real word?). Its a laughably trivial task to do

Information Security as a discipline is not a load of shite as someone mentioned above but if organisations don't actually do it then this is what happens so it appears to be, thats the difference

The world, business, the civil service, MoD etc aren't short of guidance and people who know what they are doing with regards to information security, there is mature standards and best practice coming out of our ears that work if implemented but there in lies the problem.

To do it right takes resources, committment, money and sanctions

Without these we might as well not bother

Apparently it was a TAFMIS 1 TERABYTE drive. Glad I am not in the TA!

uqfegd

pp

TAFMIS is the recruiting system and is not just TA.

If I took a Protectively Marked document home and then lost it, depending on it's Marking, I would potentially say goodbye to my career. I thought I had lost some crypto years ago and spent an hour absolutely bricking it as I thought I would be packing my bags that night, after a stint in pokey.

In the army, losing PM material is seen as one of the worst things you can do, with what could be interpreted as paranoia and seemingly OTT procedures guarding they storage, transport, etc. I see this as no bad thing and wondered if it would benefit those members the MOD who are on contact with sensitive material to do the same.

Alternatively, we could just publish all the sensitive details of those involved in losing our details on a website. Maybe they would take extra time in ensuring didn't lose stuff in future.

This is because the govt allows companies to bid for contracts regardless of their past performance and they must be considered, and if they present 'best value' accepted. Its a bit like a scumbag appearing in court and his previous not being revealed to the jury.

It was announced this morning at which site the missing disc was found to be missing, it is a secure site where you either have to swipe in or sign in so to check who may or may not have removed the drive should simply be a case of checking all those who had access to the equipment since it arrived in the building. Would also like to know it the kit was built at said site or built elsewhere and shipped with or without hard drive


Oh and the laptops I have are all encrypted and if you try to use removable media, it encrypts those too.

I entirely agree. Far too easy to blame it all on the Contractors leaving the real core of the problem (sh1te management and data handling procedures within the client) untouched.

There is a story going round about one of episodes of "lost" HMRC data. Tale is it was never lost because it never existed: the discs were never produced and thus never sent. Someone lied to their boss (twice) about having done so and then could not back out.

Truth or IT Industry Myth? Who knows, but sounds dangerously credible given the behaviours of some HMRC mongs I have dealt with.

Is there not a case for a group action against EDS and its buyer, HP, given the grave security situation and the chances of identity theft.

If there was a group action please sign me up

Sorry mate that is the problem with Information Security where people such as yourself quote the 'discipline' and then blame naughty people for not following it.

The organisations that you refer to are everybody, public and private sector. No-body follows the theory' which, I agree is irrefutable but unworkable.

If you choose to dispute this please come back with some examples.