RAF defends failure to encrypt stolen data on 50,000 military staff

Three portable USB hard drives containing sensitive information have been stolen from the RAF Innsworth base in Gloucestershire.


Three portable USB hard drives containing sensitive information have been stolen from the RAF Innsworth base in Gloucestershire.

The unencrypted personal records of thousands of current and former RAF staff were stored on two of the drives, but the third did not contain any personal data. Reports have suggested up to 50,000 people’s data could have been compromised.

The theft, which took place last Wednesday from a high-security area of the base, is currently being investigated by MoD police and Gloucestershire Police. The MoD said it took the incident “extremely seriously”.

But it defended the lack of encryption, saying the data had been locked away in a highly secure location. In a statement, it added: “The theft of these hard drives from a secure location, where they were subject to physical protection standards consistent with the Data Handling Review, is being treated with great seriousness.”

It said there was “no indication that the theft was motivated by a desire to obtain the data, nor that the data has been exploited maliciously in any way”.

The MoD said it would notify any individuals whose sensitive data, including financial details, had been lost.

It is the latest in a string of government data losses, and comes days after 11,000 teachers’ details were stolen on a disc in transit to the General Teaching Council. It is also only months after calculations by the BBC showed that the government had lost the details of one in every fifteen people in the country in the last year alone.

Analysts recently told Computerworld UK that the government needs to make better use of technology to prevent data losses, and not rely on policy alone. They said data leakage prevention software, network access control and encryption were all vital technolgoy that needed to be used.

Nick Harvey, Liberal Democrat spokesperson, said following the latest problem: "The current situation is unacceptable. How can the Government expect people to support ID cards when personal information is apparently so insecure?"

Nick Lowe, Northern Europe director at security supplier Check Point, said: “The fact that this theft happened in a military high-security area shows it can happen to any organisation. It's vital to go the extra mile and protect data with strong encryption, not just lock and key.”

The movement of data needed to be more closely controlled, said Andrew Clarke, senior VP at device control supplier Lumension Security. “The government needs to put in place device control policies that enforce assigned permissions to individuals and devices and ensure all data is encrypted during transmission.”

"Recommended For You"

Employees circumvent IT security controls ‘to get job done’ MoD: Up to 1.7m people's details lost