A Ministry of Defence official's laptop holding sensitive information has been stolen from a hotel, the 659th laptop to be stolen in four years.
The laptop, which was encrypted, was stolen from the Britannia Adelphi hotel in Liverpool on Thursday.
The news follows the government’s disclosure that 658 other laptops had been stolen in the last four years. This was much higher than the previous figure of 347 laptops stolen in 2004 to 2007. The revised laptop figures are the result of the Burton Review which "revealed anomalies in the reporting process".
The latest theft takes the total number of laptops stolen from the MoD over the past four years to 659.
In a brief statement on the latest laptop theft, the Ministry of Defence said: “We can confirm that an MoD laptop has been stolen. An investigation by the Meryside Police is under way.”
“The laptop was security encrypted.”
Defence minister Bob Ainsworth said last week that the government was investigating defence laptop losses, as well as the theft of 121 USB memory sticks in the last four years.
Khalid Kark, principal analyst at Forrester Research, said a certain amount of theft or negligence was unavoidable, especially considering the common need for remote working today, but the MoD could still take steps to ensure better protection. It was the data that was lost, more than the actual number of laptops, that was of concern, he said.
"We recommend several layers of security embedded in processes and technology," he explained. "As well as policies to help prevent the loss of laptops, you need the protection in place so that if a theft does happen, you're not going to lose the data."
All endpoint devices, from laptops to mobile phones, PDAs and USB sticks, should be encrypted he said, adding: "A standard encryption algorithm would take years to break."
Aside from technology, he said, there need to be proper policies in place, including "how to go about reporting a security incident and what to do when it happens", and training to ensure "awareness" of security issues.
The government should also consider whether it is necessary for highly sensitive information to be on portable devices in the first place, especially USB sticks and PDAs, he said. "It's a no-brainer with USB sticks. You're very likely to lose some, so it's worth making sure they don't have sensitive information."
Security software suppliers also took the opportunity to remind the MoD of the importance of tough data control policies and encryption.
Alan Bentley, VP Europe, Middle East and Africa at security and vulnerability management supplier Lumension Security, said the government needs better data control policies and to report more effectively on all information transferred to and from removable media.
“Auto encrypting the whole laptop whilst offline is relatively easy. The hard and therefore the most at risk part is knowing exactly what data is coming in and going out of your network from the end point,” he said.
The government’s biggest headache might may be the 121 lost USB sticks, according to Matthew Brown, VP products at data protection vendor Workshare: “If an employee loses a laptop containing sensitive information it’s likely they’ll be quick to inform employers to their mistake. When it comes to USB pens the story is different.”
“Securing the data stored on USB drives through the use of intelligent encryption must therefore become a top priority for all organisations if they are to ensure data remains confidential," he added.
Nick Lowe, northern Europe director at security supplier Check Point, said he doubted that many of the previous 658 laptops were protected by encryption.
“We don’t know if any of these devices or laptops were encrypted, but recent experience suggests that the majority were not. Even as recently as November 2007, only 48 percent of public and private sector companies had any data encryption software in use, according to a survey we conducted.”
Last month, as part of security technical measures published by the Cabinet Office, the government set the rule that any disc, USB stick or laptop containing sensitive information will have to be encrypted if it is taken out of Whitehall. There will also be mandatory training of all civil servants on data handling and protection, compulsory penetration testing of departments' networks and privacy impact assessments for all service delivery projects.