MOD confirms loss of recruitment data (http://www.mod.uk/DefenceInternet/DefenceNews/DefencePolicyAndBusiness/ModConfirmsLossOfRecruitmentData.htm)

The Ministry of Defence can confirm that a laptop was stolen from a Royal Navy officer in Birmingham last week, on the night of 9/10 January, and as a result, a large quantity of personal data has been lost

The stolen laptop contained personal information relating to some 600,000 people who have either expressed an interest in, or have joined, the Royal Navy, Royal Marines and the Royal Air Force.

:\

That is serious information according to the link. Was it encrypted? Password protected? Lets hope the laptop was stolen by a junkie just wanting £20 for his next fix, and that the data has been wiped.

So that will include details of AA Junior, and a fair few posters on the OASC thread. Luckily AA Junior is not yet 18, so applications for credit cards in her name won't get very far.

600,000 names/details ??

I just wonder how far that will go back 5 - 6 years or more ??

Won't affect me, they were still using quills and parchment when I joined ( thought I'd say it before anyone else did :) )

applications for credit cards

I'd be more concerned about the information falling into the hands of unfriendly nations or terrorist organisations. I'm sure that data would be very valuable to certain undesirable outfits.

My laptop has an encrypted hard drive. A real b:mad:r to use. So difficult in fact that the login and password routine stay with the laptop.

Now in that is not a bad thing, provided they are held separately from the laptop when in an insecure area.

Now of course it would never have been in the laptop case with the laptop. Would it?

If it wasn't in the case then I am sure he would have kept it secure in his briefcase and not left that in the car with the laptop. He would wouldn't he?



bets?

Just shown my daughter the link. It is almost certain her full details are in that laptop somewhere. She is not happy.

I gave her plenty of moral support by taking the pi$$ out of the Navy and the incompetence of leaving such an item in a car in Birmingham. I did, of course, forget to mention the GW1 Wg Cdr Laptop incident.

Seriously though, my daughter’s information will almost definitely be there so if anybody has any more gen or advice please PM me.

The BBCi page has been updated:

"But for those who progressed as far as submitting an application to join the Forces, extensive personal data may be held, including passport details, National Insurance numbers, drivers' licence details, family details, doctors' addresses and National Health Service numbers."

"The MoD said it was writing to 3,500 people whose bank details were on the laptop's database."

The most surprising (and uncorroberated) quote is:

"Simon Davies, from pressure group Privacy International, told BBC News 24 he was "flabbergasted". "I cannot believe that our flagship security agency (what does he mean?) cannot get this right," Mr Davies said.

"The idea that someone could have the computer with the information unencrypted - it is on a par with the HMRC loss."


You do also have to ask what kind of data-management solution is designed to enable a laptop to contain so much key data. Why does it need to be on a laptop at all? Surely some/much of the info can be held on a server and viewed over a secure link when needed?

Bl**dy priceless!!!:mad:

Well at least he will be able to raise a glass or two on his, no doubt, very forthcoming promotion.......

According to a completely reliable source, Mrs PN said that if the information was encrypted it would be a given that the encryption passwords would have been with the laptop.

PN
they are probably stuck on the laptop in Dymo tape!

Just in case you have found the laptop without the attached passwords inside just rely on the good traditional infosec tradition of using the word 'password' as this seems to be a good starter for ten on any MOD laptop I have the displeasure of using.;)

I had to remember 93 keystrokes to access mine. Never did manage it. Never used it. My efficiency improved no end.

tumeseh has it right. They made it TFD so that dymotape was the only way.

Now of course i don't have any notes on my desk with my random 21 alfa password do I?

the obvious solution is too easy for the plods.

Now I had one of my own passwords that was a simple one like:

"Oh to go down to the seas again to the lonely seas and the sky"

Try cracking that with a dictionary cracker program.

It's alright. It's not a problem at all. Apparently all the information came from JPA so none of it's accurate anyway.

Thief steals MoD laptop with details of 600,000 staff (http://www.mailonsunday.co.uk/pages/live/articles/news/news.html?in_article_id=509159&in_page_id=1770) - The Mail

Incredibly, the information was not encrypted - meaning it would be easily accessed by anyone with basic technological knowledge.

:ugh:

And the government wants everyone to trust them with ID card details? I think not somehow - either that policy is washed up, or this government is! Perhaps both.

Oh dear.

So the next generation of cannon fodder will be hieing into battle on the back of a lot of credit card debt run up by a man in Burundi.

Oops.

At least you now know that when you get an email from the "desk of" Jokoma Hungalunga inviting you to act for him with your bank account you will know that you definitely have been 'personally' selected and that he already has your account details!

never mind, the poor sods get to join us who's details that were "lost" on the disk that had the child benefit details on it! me thinks that this government are hanging on by a thread to any trust we may have had in the system or their ability to look after us. as for any one with brain cells, then i'm afraid we are at a complete loss. that's because not long after my details were lost i received a letter from the child benefit agency apologising that they had lost my details and were doing all they could to get them back, so imagine my suprise when at the top right hand corner of the letter were my details. i felt like writing back to them and saying " guess what i've found them!" :E


plebs the bloody lot of them :ugh:

Wasn't there a Wingco who stopped to look at a car showroom, leaving Orbats etc for Granby on a laptop in his boot? Which went awol.

I wonder if there's such a thing as a time lock for hard drives.. even with access verified, data is unobtainable for a certain time, and possibly an auto wipe facility?

Either way, this isn't good. I have opted out of the NHS records system, and I am anti ID card, not on principle, but because I don't trust g'ment to a) do its job properly and preserve my security and b) stick to its word about what the ID card will be used for.

Easy, just have a lesson at Officer Skool on not to leave laptops in cars :ugh:

I suppose handing over a laptop saves them the bother of removing an ipod until the RN spill their guts anyway!

What a complete idiot this RN officer was. I have two laptops in my charge, both encrypted; dongles and reader kept on my person and laptops are either carried with me or kept in a security cabinet when not used. Never are they left in a car unattended. Bloody simple rules that surely even this simple minded half wit could understand.

Hopeless, bloody hopeless. :ugh:

Well, before you criticise an individual you have know a bit about the circumstances - and I certainly don't! So I'm not going to comment, but it does raise interesting questions. For example, why was it necessary to have all that data on one laptop?

Was it because the individual was so overworked that he/she had to have it with him/her so that he/she could meet deadlines?

Well, before you criticise an individual you have know a bit about the circumstances - and I certainly don't! So I'm not going to comment, but it does raise interesting questions. For example, why was it necessary to have all that data on one laptop?

Was it because the individual was so overworked that he/she had to have it with him/her so that he/she could meet deadlines?


But he/she did not have it with him/her. He/she left it in the car

I'm with LFFC on this one. Will someone please tell us why someone thought it essential to have over HALF A MILLION PERSONAL DETAILS ON A LAPTOP?:eek: Sorry, but I detect a strong pong of kippers here. Something ain't right. With that amount and sensitivity of data I'd expect it to be chained firmly to someones gonads, not left in the middle of Birmingham.:confused:

Someting is not right here. According to Wikipedia:

http://en.wikipedia.org/wiki/British_Armed_Forces

The TOTAL strength of HM Forces was 429500 in 2006, and there have been reductions in numbers since then.

Also, according to the Times:

http://www.timesonline.co.uk/tol/news/politics/article3215887.ece

Personnel from the MOD have been caught lying in public and don't actually know the full extent of what the information taken was.

So, 170500 people MORE than there are already in HM Forces applied to join over the last decade? That would make 164 people EVERY DAY for 10 years! Or is it everybody's details who are currently serving AND 170500 (19 people per day for 10 years)?

Either way - the questions that need answering are: Why was this data held on that laptop? What liability insurance is the MOD offering everyone affected? Does the MOD even know who is affected? Is there a backup of the data?

And when does the board of inquiry convene?

With all these people wanting to join the services, why do we have such a recruitment problem? Are we being told the truth here?
P.S. Lieutenant Commanders, R.N. are omnipotent, don't you know?

That's a shame, but if they joined in the last 10 years they'll probably start getting lots of emails offering them cheap viagra pretty soon. :}

Has anyone yet had a reply from the incident team's email address? I emailed my "Am I affected?" at 1350Z, and haven't yet (1940Z) had even an automated "Query received" response. :uhoh:

Edit: automated response now received, with a timestamp of 0906Z today, Sunday.

adr

The stolen laptop contained personal information relating to some 600,000 people who have either expressed an interest in, or have joined, the Royal Navy, Royal Marines and the Royal Air Force.

To me this means everyone currently serving, plus the recruits. It looks like a JPA data transfer.

With great respect Ed - borrocks!

You don't transfer data like that. On discs or electronically (via secure mil comms) or maybe DLT tapes or suchlike. Nope, something funny going on here.

Although having spent a fair few years in the RAF this question should be easy to answer myself) why is the information being released so vague?

Who exactly is affected by this loss of sensitive information?

Is it all enquirers and personnel who have served in the last ten years or only those who have enquired and joined in the last ten years? If its the latter then I'm alright Jack pull up the ladder as its been a bit more than 10 years ago I joined the RAF but if its those who have served within the last ten years regardless of when they joined I'm a bit less happy. Even more so as its a bloody fishhead who has dropped the ball on this one.:mad:

I thought having left the RAF late last year that that was the last of the MoD being able to screw up my life.:rolleyes:

From now on I shall switch off my computer firewall, change all passwords to something simple like 'password', set all my drives to SHARE and ensure my accounts program is up to date with full account details.

I shall also be enrolling with YouTube Nigeria.

As my information will be entirely accessible and transparent I believe it will be ultimately more secure than the Government storage as no one would believe it. :\

Just like Clarkson and his bank details, eh? Plonker (Clarkson, that is)

GF,

:)

No. More like Jasper Maskelyne; everything hidden in plain view.

Double bluff sort of thing? Brave-ish call!

GF,

With great respect I believe with the laughable way the muppets in charge handle our data security, that it was a data transfer and they thought the easist way, after the HMRC CD-Rom faux-pas would be a direct download to a portable HD then upload at the required point.

Especially with the 'tight' security of our personel data on JPA......................!

A D,
Fair call, but was it a laptop or a portable hard drive? If a HD then it's just being moved from point A to point B. A laptop implies someone wants to view the data before it arrives at its ultimate destination - er, why, if it's just a data transfer? And there is still the question of why it was left in the motor? And why that amount/sensitivity of data was put on one system? And why under the custody of just one person? And ..... and .....

And why of an f:mad:g computer in the first place?

The majority of the stuff I access - public at home and government at work - resides on remote servers. If I need something then I get that file and that file alone.

What on earth would anyone want with SIX HUNDRED THOUSAND records?

At 66 lines per A4 page that would be 9090 pages for a one line entry.

It is one mega database and you could play with it all day.

How many successful applicants bank with Barclays?
How many unsuccessful applicants were women?

etc etc.

FFS

Pont has hit it firmly on thumb. If it's a data transfer IT SHOULD NOT BE ON A PC!!

Someone, somewhere, is up to something.

The fish smell is overpowering. Methinks 600,000 people should all be just a bit worried; not so much with the loss, but with the way the data was being handled. Knowledge is power, and someone had access to a huge amount of it. Why?

1. Military makes government look bad.
2. Government loses 25m peoples data, making selves look bad.
3. Military continues to make government look bad, government continues to lose data.
4. Government looks bad.
5. Military Officer (not a civil serpent, but a RN Officer) loses data, military looks bad.
6. Government looks slightly better as even the military can lose data, and are quiet at last.

Is it me, or are there 'dark forces' at work here?

(dark forces could well be a 2006 Merlot)

I cannot believe that they have 600 000 names and it is just people interested or appyilng to join the military! As others have mentioned, this sounds like a data base of all the british military going back say 15-20 years. I hope the Sunday press dig out more info tomorrow. Can't wait for prime ministers question time next Wednesday:E

If there are any Fishheads here can they verify the Dark Blue who lost the data? No names, no pack drill, but can they verify it was a real live RN officer? (Can you see where I'm going here?!)


Oh B0ll0x, Black Omega outside allready!

GF
no i can't, its been a long day. Spit it out for us dullards.

Ta!


(they can't send Black Omegas for all of us!)

No independant report that it was an RN officer, just an 'official' statement. Believe what you want (or are told) - (Oh FFS, I'm sounding like MGD or any of his other alias's!)

Too much (or maybe not enough) St Peters tonight. Sleep Bingo caption is lit.:\

The numbers are barely credible.

I was told on good authority that the AFCO foot fall for officers to the RAF is 12000 pa. Even assuming a ratio of 5-1 that could put the airmen footfall at 60000 pa. This could of course sum to the 600 000 for the RAF alone but is it really credible that they recorded and retained records of everyone of these wanabees?

Factor this up for the Army and down for the Navy then the total 10 year foot fall could, I guess, reach 3 million over 10 years. Thus they have 'lost' records for 20% of the people interested in the armed forces?

I suppose this is just credible if my assumptions are right and they didn't include the 80% who just popped in on the off chance 'I was walking down the street and it began to rain'.

As the 12000 wanabee officer initial foot fall falls to 12000 and the into training pilot figure to 120, the whole numbers game starts to skew. OK, into Army training will probably match the higher numbers. Into RAF training, even at the bottom end, will remain far lower.

Kippers for breakfast I think,



from the smell.

These numbers do not add up. Where on earth do they get 600 000 people from interested in joining the RN or RAF whose joint manning totals less than 75 000. Do these figures include all the Sea Cadets and ATC cadets and all those serving in the Reserves? I still cannot see where 600 000 would come from. Which individual needs to have all this information on his laptop - what was his job that meant he could put so many individuals data at risk?
It makes you wonder who else is wandering around with all the details of those currently serving on their lap top just waiting to be pinched.

VMD

To ease the unfounded suspicions, I've got it on good authority that it was an RN officer type. I'm guessing that the 600k figure is everythnig from those who sent in an email to the website asking for more information, to those who went all the way and joined. Given the wastage ratio en route, 600k over 10 years or so doesn't seem that high - say 60k per year, of which maybe 6 - 10k would have joined.

Just a thought, but there have been several offences committed under the DPA98.

The obvious one is the failure to implement proper safeguards to protect the data. I suggest this is the lesser of the crimes. As the Government says, you cannot legislate against this form of human endeavour.

The second, and far more serious offence, IMHO, is the retention of data beyond the period when it would have been reasonable to retain such data. This is clearly a systemic failure going on for more than 10 years.

Clearly no one saw the need to do a filter sort and archive or delete data. I suppose they would argue the need to retain information on a 16 year old as he may eventually return and reapply many years down the line. But to retain the data on an active list or out of archive!

Perhaps some clarification from the Sunday Times article (http://www.timesonline.co.uk/tol/news/politics/article3216683.ece):

The personal details of every person who wrote inquiring about a job with the navy, RAF and the Royal Marines in the last 10 years were held on the stolen laptop.

The MoD says the data include the names, home addresses, bank and passport details, national insurance and National Health Service numbers of thousands of staff and potential recruits. A Whitehall official said yesterday the details of many serving servicemen and women were among the data.

The information was not encrypted and would therefore be accessible to anyone with basic technical knowledge.

The article also discusses the threat to Muslim service personnel following the 'kidnap and beheading' plot of last year.

'Two Jobs' is to make another apology - er "statement" - in parliament tomorrow. To use the same terms as one of his predecessors, is his department really 'fit for purpose'?

I agree with PN. There is no reason that this data should have been downloaded onto a local disc. The security systems should have ensured that sensitive data like this should remain on a secure server, only accessed by suitably authorised personnel and not downloadable.

Technology is now available that you do not need this stuff locally and you only access the information whilst online.

Why doesn't the government get its act together????

Technology is now available that you do not need this stuff locally and you only access the information whilst online.

Whilst the technology might be available, has it been properly funded and installed?

MoD defends £5bn IT system (http://www.theregister.co.uk/2007/11/19/mod_says_dii_is_peachy/)

HMG recently stated that the personal details of 25,000,000 people who received Child Benefit had been lost - this data included Bank details.

If there are 25 million receiving benefit then there are at least 25 million children out there - total 50 million people so far.

The latest estimate for the total population of the UK gives a total population in mid 2006 of 60,587,000

Thus, if the Child Benefit claimant is the Mother and there is only one child, there are only 10,587,000 people out there to be Husbands/Partners; Grandparents, Great Grandparents, Maiden Aunts, Spinsters, Bachelors etc.

The only way the sums would work out is if the data lost was the personal details of EVERY PERSON WHO HAS EVER CLAIMED CHILD BENEFIT SINCE ITS INCEPTION

Its really quite pleasant here in France.

Back on the laptop.

AFCO has records on a particular system which, I am reliably told, goes back about 3 years. The records from the previous system would not have been transfered to the new system.

The figures of 6 or 10 years and 600000 do not therefore hold up in relation to normal systems out there.

Somone must have done something quite deliberate to actually get 600000 records on to that laptop. As the STh said (I think they did), what was a junior officer doing with all those records.

The following comments are based entirely on uninformed speculation.

I wonder if this might raise a question about protective marking. One person's application data might be marked confidential, or confidential exclusive, but when you bulk up to half a million.... It's the same sort of data, but the sheer volume seems to me to merit a level of protection way above that you'd arrive at by asking only, "What sort of data is it?"

adr

adr,

What you allude to is indeed part of the security mantra of agregation.

It is the same argument for not publishing publicly collated open source material etc as you are potentially focusing a hostile agent on interesting information.

How many people would be interested in the complete data on 10 people? or a 100 people scattered throughout the UK, or even a 1000.

But given a working population of some 24 millions we are talking 2.5% of the working population. Now even a marketting company would die for that focussed data set.

Thanks, PN. So, to vary a little the question you and others have already raised, I'd say, choose one from these two:

What was (reportedly) an Area Career Liaison Officer of Petty Officer rank doing with a file marked [x] on his laptop, and how did he protect it while in his custody?
Why was this file marked [y] when it should have been marked [x]?


:sad:

adr

AA jr applied to join the RN last year. She filled in the officer application form. The form asked for all her personal data, and additionally the name, former name, place/date of birth and passport numbers of both her parents. This will be standard for anyone who makes a formal application, as the info on their parents is reqd for negative vetting. How many more people are now involved, I wonder?

'Two Jobs' is to make another apology - er "statement" - in parliament tomorrow. To use the same terms as one of his predecessors, is his department really 'fit for purpose'?

I'm not sure that he should apologise in the HoC for something that is very clearly not his fault nor that of the department he oversees. The officer who screwed up would have been made aware, as we all are, of the dangers and restrictions of carrying mobile devices with sensitive data on them. This was a straightforward case of a blatant disregard of the regulations at a level well below the top of the MoD. Yes, a statement must be made to clarify what has been lost and the way forward and maybe the usual "regret" that it has happened.

In addition to whatever "standard" punishment the officer will receive, I think he should print out 600,000 letters of apology and personally sign, seal and post everyone of them. Cock.

The form asked for all her personal data, and additionally the name, former name, place/date of birth and passport numbers of both her parents.

I think its time the Services reviewed the way we do business with our applicants. A simple name, address, tel no and CV is all that is required for a career application at the outset. Nothing more, just telephone directory stuff. All applicants should be made aware that they will be subject to vetting (a page of no,no's could be supplied with the application form to filter out the time wasters) if they are successful at the selection stage. While the number of exams and interviews might reduce slightly (most applicants will get through the vetting stage), the number of vetting processes must reduce down to approx the annual intake of recruits. Its not rocket science and it reduces the amount of personal data held unnecessarily by the MoD.

The Navy recruitment ad ran on the telly earlier with the strapline "Life without limits". Perhaps that should be "Life without laptops", or "...without limits on stupidity":ugh:

Ed

In addition to whatever "standard" punishment the officer will receive, I think he should print out 600,000 letters of apology and personally sign, seal and post everyone of them.

but the addresses are all on the laptop:}

Just for interest this is the reply I received after contacting the email hotline:
"Dear Sir
Thank you for your enquiry to MoD Recruitment Data Check.

I have checked the data base using the information you have supplied and I can advise there may be a record which relates to you held on the laptop.
If you require further information at this time can you please apply in writing to the address noted below and enclose photocopies of two of the following document

·A photocopy of the page of your passport with your photograph on it.
·A photocopy of your driving licence (both card and paper counterpart).
·A photocopy copy of a recent utility or other bill, such as a mobile phone bill showing your home address. We do not need to see the details of the bill, just the address
·A letter from your employer confirming your home address.
·A photocopy of any letter from a body such as your bank, building society or council showing your home address. We do not need to see the contents of the letter, just the address.

The address is: Recruit Data Check
Mail Point 403
Kentigern House
65 Brown Street
Glasgow
G2 8EX



I have included some information:
What risk is there with this information being lost ?
MOD’s assessment is that the loss of data does not pose a significant risk to personal security.
We have already informed banks of the potential loss of data for the small proportion of records where bank account information was held. This means that banks have already been alerted to look for signs of any irregularities in these accounts and then to alert individuals.
In addition, at the request of the Home Office, the Association for Payment Clearing Services now play a leading role in raising the awareness of identity theft. Should you have internet access, you may wish to view their website which provides practical advice on to how minimize any potential problem as a result of potential loss of data. This website can be viewed at www.identitytheft.org.uk (http://www.identitytheft.org.uk/).

If I am one of the people affected, what should I do?
There are some practical steps you can take to make sure your information can’t be used to defraud you or for other criminal purposes.
You shouldn’t give out personal details if anyone contacts you unexpectedly but take a note of their name and telephone number.
If any of the passwords you use to access personal accounts (for example on the internet) use any of your personal data, for example your date of birth, you should consider changing them.

What steps have you taken to protect bank details?
If you are one of the people whose bank details may have been affected, we have already let your bank know about the theft and they are monitoring your account for signs of any unauthorised activity.
The banks and building societies have told us that they have the appropriate safeguards in place and that there is no need for you to ask for a new account or to contact them.
If your account is used fraudulently by someone else then you will not have to pay but you might wish to take some steps to protect yourself. If you receive bills, invoices or receipts or see entries in your statements for goods or services which you have not ordered you should contact your bank or building society immediately.


Yours faithfully,



MoD Recruitment Data Check"


I find it absolutely amazing that they can't even be arsed to apologise! And what makes them think I'm going to trust the MOD with copies of ANY important documents?
In the time since I submitted my application to the RN, I've had time to join, complete 9 years service, retire and move on.. What the devil do they need data on me on some idiot's laptop for?
Court martial him. And then send him to me...
Steward, my gun!

We have lost your data, so please send all the sensitive bits to us again, so we can lose it again:ugh::ugh:

D O

So you are at 9 years + retirement, maybe we should press to test and see who gets the 'longest' time back where they say

I can advise there may be a record which relates to you held on the laptop:E

I am furious about this as a close personal relative had their info. on this computer. They have never applied to join or been in the Armed forces but had a job with a link to them. They had an apologetic call from an Army Officer and were given a police number to call immediately if needed as their security is now threatened. I don't know how this laptop went walkies but I hope whoever is to blame will be seriously dealt with.

Is the MOD exempt from the Data Protection Act?
http://www.ico.gov.uk/what_we_cover/data_protection.aspx
Can we expect a mahoosive fine or even a prosecution for the loss of the data that we probably shouldn't have kept in the first place?
Standby for even tighter rules on IT, our laptops and PCs will take so long to log into soon it won't be worth using them :(

I can see no reason whatsoever that sensitive data like this, which contains the personal details of thousands of people, should be allowed to be downloaded onto a local hard disc.

Yes, it may be that somebody may want to analyse this data (perhaps offline) but there is no reason for this data to contain any personal details.

I am sure (at least I hope) that the banks do not allow personal data of their customers to be downloaded onto the laptops of their employees, so why the MoD and other government departments?

The Pharmaceutical industry collects masses of data in the clinical research process from patients (sorry, I mean subjects) taking part in clinical trials all over the world on a daily basis. This data is then analysed by the stats department within each pharma company. None of this data contains personal details of the people taking part in the trials. If they can do it so can government departments.

Anyone who authorises a software program to be able to download personal data onto a local hard disc should be responsible and accountable - in court if necessary.

Do you have data on your local disc which could embarrass you (or the MoD) if found in the boot of your car or stolen from your home??

Think long and hard about this hard now.

.....and what are you going to do about it??

Seeing as my data is no doubt on said laptop I'll have my twogigs worth.

Looking at the MOD statement and the posts on this thread and I'd say it's fairly reasonable to conclude that the 600,000 records is everyone that's enquired and then joined (or not) the two services within the last ten years.

I don't know why bank details would be with that. I don't recall ever being asked for bank details as part of the recruitment process...?

So there's a question about the source of such data and then why was it needed. Were they planning to cold-call those who lost interest? Were they looking to identify target areas based on enquiries, is there an area of Solihull with a predisposition to join the SBS?

I'm surprised that people, especially military (how quickly we forget the IRA) do not know that laptops are an easy target, especially for your average junkie that needs a quickfix.

Very disappointed. For the officer concerned the worst thing, ultimately, is the shame in letting down your colleagues.

When will someone make a public definitive statement as to what has gone, how it was there in the first place, and why it was there?

Swiss Des will be making a statement to the House at 16.15 approx.

the way we do business with our applicants. A simple name, address, tel no and CV is all that is required for a career application at the outset. just telephone directory stuff.

(a page of no,no's could be supplied with the application form to filter out the time wasters)

Nice thought but that is not fool-proof. It dosn'e cater for people claiming their brother's qualifications and even submitting the certificates.

it reduces the amount of personal data held unnecessarily by the MoD.

It could also be argued that retention of application data for the life of an applicants recruitment life, say 16-39, might be justified to monitor whether an appicant has made numerous and unsuccessful applications and even changed their 'legend.'

Retaining or collating all that material on one laptop is an entirely different matter. Surely any data analysis should be done at the HQ level and not an outstation. As it appears itis Air Force/Navy data well the mind boggles 600000 for a combined force of 70-80000.

Stroll on 1615.

The maddening thing about this is that the world-standard database format, SQL, includes as standard the ability to define, grant, and revoke levels of permission for any and all users on the system. Quite simply you GRANT read, edit ON recruits for each user, or each group of users; under no circumstances do you GRANT ALL ON recruits to anyone but the db administrator. However, it seems anyone in government gets to use the DUMP command (i.e. export all records to local disk)...

Whatever this information was being used for, right or wrong, it does not excuse the way it has been handled. It should have been made secure. As someone who has lost his data in this incident, the most annoying part is not that this data was being kept, because as someone who is serving this is expected, but the fact that it was stored in such an irresponsible manner.

I have found myself asking the same questions that have been posed on here several times, why did this chap have these details to take home with him, why were they not encrypted, and why (ffs) did he leave them in his car? If he was doing something dodgy (not neccessarily for personal gain, but just flaunting the I.T. rules to meet deadlines or something along those lines), then why on earth was he not taking EXTRA care?

And as for sending a photocopy of my details off to Glasgow? The jury is still out on that one...

Anyone who works in Birmingham should know better than to leave anything of value in a car in Edgbaston - it's a wonder the car was still there [and I do speak from experience having worked in that area and had my car stolen -that was 30 years ago and I think crime has worsened since then]

Submitted to BBC not too long ago:

I am one of the many serving members of the Armed Services who has had their personal details stolen in the recent theft of a laptop.
Today we received a "signal" that, because the incident had appeared in the press it was probably best that we should all know what had happened. In other words almost a written confession that the MoD would not have informed us had it not been made public knowledge.
This is obviously unsatisfactory but I feel there are further questions that need asking here. For instance why would my details from my application in 1997 still be recorded? This poses many Data Protection Act questions and surely warrants further investigation.
Also, amazingly, when calling the phone number set up to check if your details were lost or not, on confirmation that ones details have been lost they then ask you to post a copy of a bank statement, utility bill, driving license / passport to Confirm your Identity !!!! Unbelievable and just a little incompetent. I shall not be providing yet further information so that it can be lost by these idiots.

I just hope that we all receive a written apology and that some consequences occur ref the DPA.

I DO NOT think that the Lt concerned should be made an example of, yes he was a complete tool for leaving the laptop in the car. The important thing is that this exposes much deeper issues with the way some parts of the MoD are handling our data.

Grrrrrrrrrrrr

That would be D O Guerero http://www.pprune.org/forums/member.php?u=169934 then :)

Having just called the helpline I now know that my details are amongst those lost.

Given that I left the RAF just over a year ago, I can think of no possible reason why a RN Petty Officer recruiter attending an URNU town night in Brum should have in his possession my personal, legal and financial data and then leave it unattended. This simply is not good enough: a balls up of epic proportions from the PO involved but also mismanagement of sensitive information at a higher level.

It seems that some of the personal security lessons of the IRA years have been forgotten by this chap and his heirachy on a monumental scale. Potentially Al Q could now have the home address and family details of everyone who has joined the Armed Forces in the last 10 years (the overwhelming majority of all serving personnel) and the Nigerians could have a bumper harvest financially crippling the same group.

Forgetting the Data Protection Act for a moment and considering the detrimental effect this could have on the security of the majority of personnel, perhaps the Official Secrets Act should be invoked. I suspect, though, that most of this data is 'Staff in Confidence' whereas by virtue of the sheer volume of sensitive personal information it should be handled as Secret or Top Secret.

In short: not a happy bunny. Let's hope the thief panicked and threw the laptop in a canal. Unfortunately, no one will ever know how far this data has travelled until it comes back to bite us on the arse.

I'm sure 'lessons will be learned' as always. Unfortunately they should have been known all along and now the damage may well have been done. Muppets.:mad:

WeeMan - the loser of the laptop was an RN Lt, not a Petty Officer.

Just watching the discussion..

Laptops lost by MOD personnel:

2007: 68
2006: 66
2005: 40
2004: 173 (I am guessing this reflects the early days of extra stupidity)

Of this number, 2 more held recruitment data, one RN laptop stolen in October 2006 (I missed the number of records if it was announced) and 500 records on a laptop stolen from an Army "officer" in December 2005. Apparently it was believed these laptops were encrypted.

I know of one with Tornado data lost by a consultant from Wyton. Documents relating to this theft were reported in local media. One assumes that the figures included that one and that private companies do not hold this data also (CAPITA manage some aspects of Police recruitment?)

Des says he does not believe the problem (of unencrypted data of this type) extends any further than the handling of this particular database, which is managed by Army Training & Recruitment on behalf of all the services.

Liam Fox says this is worse than the Benefit case because it was definately stolen. He also asked whether the laptop concerned was an MOD or personal laptop due to the lack of encryption.

300 laptops have been recalled as part of this enquiry.

The laptop concerned had records dating back to 1997. Of the 600,000, 153,000 records held passport, national insurance, doctors details, religious beliefs, dates of birth and 3,700 included bank details.

Letters were sent to the 3,700. Further letters will be sent to the 153,000. Helpline and email contact established.

Sir Edmund Burton appointed to review. This outside of Police and MOD investigations.

Discussion ongoing.

AA, Noted. It was widely reported as a PO (http://www.thisismoney.co.uk/credit-and-loans/idfraud/article.html?in_article_id=429540&in_page_id=1) but to be honest, the chap's rank doesn't really change things.

I'd agree with 'loser' though.

Totally agree that governmental IT is in the dark ages as far as having a responsible attitude to data security and needs to sharpen up.

However, we live in the real world and you need to look after Number #1 - if your current job requires you to carry stuff around unencrypted on a work / personal laptop, I would strongly recommend TrueCrypt (http://www.truecrypt.org/) - it's free, flexible and very,very strong.

Indeed - one would hope that whatever the rank, and commissioned or not, they would be adequately trained and monitored, and using systems that are fit for purpose.

That last comment went way over your head, AIDU. A suitable system, might for example, limit the number/age/type of records that could be downloaded, and prevent the download of personally sensitive data.

It might even ensure that that no or little personal data was held on a laptop, but viewed and manipulated over a secure link. It might also be fully encrypted, which seems not to be the case here.

Weeman18

There are so many people implicated here, and as you say, why is a man/woman carrying your data 1 year after you have left. Find a good no win no fee lawer and go for it. Your security has been compromised --for what? You could for example, quite rightly want to sell your home and move address etc. Be one of the first in, the lawers will be itching for a case, as everyone else will take them on when they win.

Your security has been compromised --for what? You could for example, quite rightly want to sell your home and move address etc. Be one of the first in, the lawers will be itching for a case, as everyone else will take them on when they win.

To succeed in a civil court the claimant would need to prove a loss, which could be remedied by a payment of damages. The possibility of ID theft remains that, a possibility, and it would be hard as case law stands, to ascribe a financial value to that risk, other than the cost of changing account numbers at CC cos and banks, most of which will be for free. OK, a small amount of time, but no personal loss.

I can't see it happening right now. The idea that you need to move house to counter the risk of the MOD laptop is not viable, IMHO.

But worth a try:E:E

But a no win no fee lawyer won't take it on if they reckon they have such a small chance of winning a very small amount. You'd have to front the costs, and be prepared to pay the costs of the other side if you lost.

I suspect, though, that most of this data is 'Staff in Confidence' whereas by virtue of the sheer volume of sensitive personal information it should be handled as Secret or Top Secret.


Not just by virtue as I recall. I am sure that the JSP had a requirement to increase the protective marking for aggregated data (ie a cabinetfull of Restricted may be PM Confidential).

The only silver lining to this cloud is that the ID cards scheme will never be implemented. The No 2 ID campaign's support base is likely to number in the hundreds of thousands or even millions, as opposed to thousands ot tens of thousands.

This is a catastrophic breach of the Data Protection Act.

Wader - wasn't me actually...
I don't waste my time on ill informed websites like the BBC for my news. I get everything I need to know right here :rolleyes:

I have been told that to ascertain if your data is included, you have to supply more data to specifically identify you. Not unreasonable in the first instance, but why so much info to say - yes you have been compromised...Surely a name 'Fred Bloggs' is or is not included. If it IS included, then is is up to you to pursue if indeed it was your Fred Bloggs data. If Fred Bloggs' name is not on the list, you can remain anonymous.


How hard is that?.

.

In the case of my relative airborne artist, that could actually happen. They were contacted immediately by phone and given a special 'panic' number. Their personal saftey could be compromised. Absolutely furious about the whole thing!

D O G, LOL, I guess someone might have cut n paste yr post then.

Some comfort for ageing SERE types. Although I fall in the "enquired, applied or joined within the last ten years" band, I've received the "there are no records on the database relating to you" email. Maybe the data dump was filtered by age.

adr

Couldn't even find my details with a bloody service number and dates of service.

Inspiring.

Unencrypted!

Didn't know there were any official unencrypted laptops out there. Certainly the rules about a year or so back called for the declaration of all the unencrypted laptops to be given protection.

Oh, I forgot, if some rules were ignored why not ignore the encryption rules too after all they make access difficult.

Was it even an MOD laptop and not a private one with the incident being reported only in case the military database on a private laptop turns up in the currant bun?

Just thought this might be of interest

Royal Air Force Wing Commander David Farquhar is not an internal auditor. But, on December 17, 1990 he discovered a security problem when a laptop that he had been using was stolen from an RAF staff car.

At the time the incident occurred, Farquhar was a member of the staff of Air Chief Marshal Sir Patrick Hine, Joint Commander of British Forces in the Persian Gulf. Farquhar was returning from a briefing for British Prime Minister John Major on plans for Operation Desert Storm when he stopped at a car dealership to examine several secondhand Range Rovers.

When Farquhar and his driver returned to the staff car, the laptop and two briefcases containing what were described as "sensitive papers" had been removed from it. The briefcases were recovered from a rubbish dumpster within hours, their contents apparently intact.

Royal Air Force officials concluded that the laptop had been taken by a petty thief rather than by an intelligence agent, and that the unit most likely had been taken in a so-called "crime of opportunity" by someone who apparently was unaware of the nature of what he was stealing. Reportedly, the subsequent RAF investigation concluded that the laptop most likely had been sold by the thief to someone who deals in the purchase and resale of stolen goods. Eventually the incident and the publicity surrounding it cost Farquhar his career.


I wonder what will happen to the RN chap?

Didn't Alan West lose a few post-its on his early AM canal tow-path stroll? Didn't seem to him any harm....

Anyone who have been recently interviewed - or re-interviewed for a DV or similar will be aware of the requirement to be offered a copy of the report (as it is held on a data-base). If you ask for that copy, it will be, as a default, be sent by second class post to your home address in a window envelope (with the DVA header clearly visible). No signature required, no positive control over a highly sensitive document.

Mrs W opened the envelope guessing it was my OJAR and read the report... but my concern is the sloppy disregard of the handling of personal information by an organisation that is largly built on trust and absolute discretion.

Wader 2 you are incorrect. The Wg Cdr was not promoted. He was Court Martialled and, despite several very senior officers speaking in his defence, he was fined and lost all his seniority as a Wg Cdr with pension implications. He retired a couple of years later still a Wg Cdr (very junior).

Maybe now that the MOD has potentially compromised many thousands of people, they will pay for them to move to a new address.

They were £10000 short in my costs in moving home last time- £5000 is all they paid when I was posted to my new unit. If we are posted, all costs should be met. Is that a whole new argument? Sorry, rant over...

SMT

May I suggest that everyone who is currently serving and joined in the past 15-20 years might want to check whether their details were on that laptop.

Although the MOD said it would only affect those joining 2003 onwards, I joined in 1997 and for some inexplicable reason, someone decided it would be prudent to keep my OASC and IOT details (scores, entry dates etc) on this laptop for over 10 years.

The big question from my point of view is what have these details got to do with the 'personal' details such as names, addresses etc? Just what the hell was on this laptop that we aren't being told about - it seems there is all manner of data on it not simply what they said was there.

And I am not the only officer in my unit to have joined in the mid-late 90s who has found their details were on here. You have been warned!

I've just had a reply from those Recruit Data check people in Glasgow....I wonder.....same JPA peeps perhaps? What could possibly go wrong?

It appears that even after 21 years during which I only attended the College of Knowledge in '05, that my details are likely to be contained too.

Anyway, even though I had given them plenty in an email, they have still asked for much more info as previously stated:

passport
driving license
utility bill confirming address
letter from bank
letter from bossSo they want much more information to be sent through the post and into someones in-tray for suitable filing I'm sure???

I have replied to the nice email with a not so nice one declining their offer to lose more info about me. What do they expect; they want more than I could give under the Geneva convention if taken prisoner!

I am absolutely appalled

SA

I believe my details are on the laptop....I joined 10 years ago and left 3 years ago. I need to send off proof of ID to get further details (they'll be instructed to return these!).

What is the extent of the data held? My view is that we are not being told the whole truth and this is not a loss of recent recruiting data, vast majority never submitted an application etc....
I'm looking for avenues to complain. And PMA won't be informed if I change address, as per reservist liability etc....can't trust them obviously!

The Information Commissioner's Office (http://www.ico.gov.uk/complaints/data_protection.aspx)

I must admit to being fairly unsurprised to learn of the amount of data lost but also somewhat concerned.

A quick email later and my sense of dread deepened as I was informed that there MAY, how can they only think that there might?, be information regarding my application on the laptop. Sure enough this was accompanied by a raft of documentaion they required to confirm my identity before passing on any more information.

However, once I'd responded with a fairly strongly worded damning indictment of the process so far and a refusal to release anymore personal information I was, considering this is JPAC we're dealing with here, frankly astounded to recieve on my private overseas mobile number a phone call, identity check over the phone and confirmation of exactly what data was on the laptop.

So yes, Lt/PO Moron should be hung drawn and quartered and yes OUR data security as a whole is shocking

BUT and I'm choking on my frikadellen as I type this, well done JPAC...

:yuk:

For Information.

The data base also contained data of people who applied for a Commission as certain types of RESERVISTS.

Swiss Des said that he did not think details of reservists were held on this data base.

Yet again

He was wrong!:mad::mad::mad:

a phone call,

From the thief

identity check over the phone

to gather what little data about you he didn't have

and confirmation of exactly what data was on the laptop.

To make sure that what he had was correct.
:hmm:

Having received a reply to my rather abrupt email describing my disgust and contempt that more info was required; I gave a call to the data check people. They have changed the request process for serving personnel.

You guessed it - JPA in Glasgow! and yes I am amongst the lost data.

However, a big thank you to Ian who handled my call. He was very helpfull, although I had to keep reminding him that he was not responsible and that he shouldn't keep apologising.

I wish I could go face to face with the one who should though!

SA

P.S. I never thought I'd be thanking JPAC! THINGS MUST BE REALLY BAD?

Just received a 'personal' letter today (massed produced mailshot to victims) stating my details were part of the recruitment data lost. The reason I'm so annoyed is that I joined the RAF 24 years ago and am still serving! So what f&@k are they playing at having my personal details on a disc for????

Will be phoning the helpline tomorrow (JPA) to see exactly they are playing at.......

Quote "Subject rights
The data protection act creates rights for those who have their data stored, and responsibilities for those who store or collect personal data.

The person who has their data processed has the right to:

View the data an organisation holds on them, for a small fee, known as 'subject access'.
Request that incorrect information is corrected. If the company ignores the request, a court can order the data to be corrected or destroyed, and in some cases compensation can be awarded.
Require that data is not used in a way which causes damage or distress.
Require that their data is not used for direct marketing."

Does anybody know if an individual has the right to take the MOD to court over this cock up as well?

Acording to the Imformation Comissioners Office's document at http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/dp_how_to_complain_final.pdf page 11 states we may be able to claim compensation for breaches of the act through the courts.

Any friendly lawyers out there have any ideas??

Nav Attacking, you can certainly take the MOD to court but I believe you must have proper grounds. A good solicitor would, I am sure, find proper grounds.

Having rung the JPAC yesterday and aked for the list of information on me that was lost, I will indeed be seeking legal advice (comes free with my home insurance, although how good they are at data protection issues is another matter).
The ICO looks like a good place to start and I shall be writing to them in the first instance to start the ball rolling; as for court proceedings, well I guess we'll have to wait and see what the investigation finds.....
A further point of concern is the fact that one of the items of information that was included is also the same data which JPAC default to ask you if you forget your password, nice one!! I hope that security hole gets plugged soonest. At this rate damages and stress caused might well be a reality if a fraudster has got hold of the information - beware everyone!

Someone asked in a post several pages ago about what the MOD is doing keeping data that is so old.

They actually keep certain data on you until the date of your 100th birthday, whether you are alive or dead at that point.

Phoenix, that is true, my uncle went missing in 1943. I tried to get in touch with his widow in 1995. They had an address on file from the 50's but no record of pension. I didn't realise that was probably available with the War Pensions people instead.

But, and this is the question, why was this data on a non-networked laptop?

Maybe someone was number crunching to show how recruitment effectiveness had actually increased on his watch?

Miss Artist, who has made an application to join the RN, got a letter today, posted 2nd class, with an apology. The letter does not tell her what data of hers was on the laptop, and she will have to provide evidence of her ID before they will release that.

Given the worry, and possible disruption, a 1st class stamp wouldn't have been out of order.

So, we get around this problem of losing laptops by not letting any laptops off the unit . Great!!! (Unless they have some very expensive security software installed which cannot be funded at the moment).

Next week I am going to a meeting with a very large civilian aerospace organisation, without a laptop to view the info that they are going to give me when I arrive.
I cannot even book out a machine that does not have any info on it. I require only a viewer to read the docs that will be supplied to me at the meeting. This, I am told can only be achieved by providing a business case to the big boys at High Wycombe and no reply can be expected until after I return from my meeting. So while the civilian representatives at the meeting are buried in their computers following the program, I have to sit there like a plank.

Once again the RAF will look very professional - NOT.

A knee-jerk reaction or what?

Why do we bother ??

Miss Artist, who has made an application to join the RN, got a letter today, posted 2nd class, with an apology. The letter does not tell her what data of hers was on the laptop, and she will have to provide evidence of her ID before they will release that.


My youngest had such a letter yesterday, as he is currently in Afghan I opened it to check if anything needed to be done before he gets home, today another letter exactly the same arrived, why send 2 letters, our eldest should also have been on the list as it goes back to 1999 I understand, we now await his letter(s).

Being on a UAS, and having done a full application before that, I'm expecting one, if not two letters.

But they're having a laugh if they think they're getting any more details from me to lose.

Best other options? Legal stuff sounds interesting - if enough people do it surely some more drastic action would have to take place, rather than some knee jerk reaction to prevent people from doing their jobs.

I have just receive the said letter from the MOD saying that details given when I expressed an interest in joining the RAF have been lost. I joined in 1969!! Assuming the figure of 600,000 is correct, then this is many times the number of total serving personnel. I will be writing to both my MP for a further explanation and my solicitor to see what action can be taken.

Any advance on 1969?

Out tit witted police farce have done a fabulous job of applying for planning permission for a stable after the horse has bolted with this one. Their collective knee has jerked so hard they've kicked their own teeth out.....

The blanket ban on the use of IT off base shows a tremendously slender grasp of the realities of the real world. As well as banning the use of flight planning laptops off base they're also restricting us using PDAs too. Laptops and PDAs that have nothing secret, sensitive or interesting on them.

I'm going to suggest that as our aircraft have a few computers on them then we should consider not leatting those off base. In fact, my flying suit's got my name on it.... Better leave that on camp to.....

I do despair sometimes.... :ugh:

I too recieved the letter yesterday. I pvr'd over a year ago and this was the first letter of any sort I had been sent.

It was bound to be a smack head needing a quick buck. He'll have nicked it and sold it on quickly. The information is unlikely to be used and has most likely been deleted/ ignored.

The same information could most likely be found by looking through your rubbish!

Yes, it shouldn't have happened. Yes, heads should roll. As for compensation/courts ... forget about it, your wasting your time.

..... and yes, my details were on the laptop!

What on earth is going on at the MOD?
Letter number 3 arrived this morning for my youngest, every one exactly the same!
A competition could be started, who gets the most copies of the same letter:ugh:

Maybe he has mine. I haven't received any letters even though the phoneline confirmed that my data was on the laptop.

Class action anyone?

Off to see my MP next week, having found out that the MOD lost some of my personal data. Then on to legal advice, I suspect; the Data Protection Act states that data can only be held for as long as it is required; why they're still keeping personal data from when I applied to join up is quite beyond me, but I'm reasonably sure that there are some tough questions to be asked.

Off to see your MP eh, then legal advice.

So what "tough questions" have you got planned then.

Stoppers, the CIS-pig iPlods have always floundered about in the dark ages of IT! Some bristling little Stasi-type once thought that, by using the squadron BBC Master to calculate turn range data, I was breaking his Rules. "Wot's it going to be used for?", he demanded. "You don't Need To Know", I explained, "Anyway, trignometry is hardly a state secret!". Fortunately the Boss told him to do one.

I'm intrigued to know how AAR trails can be managed away from base if Plod prevents the AARCs from using planning software.

A few 24 hr delays in expensive locations whilst everything is laboriously faxed back and forth, perhaps?

Back in the days of steam-planning AAR trails, there was often an extra day built in to allow the AARC with his (they were always 'him' back then) charts, dividers, Dalton spinwheel, piece of string (honest!), lodestone, quadrant and abacus to crunch his numbers. That was for relatively straightforward trails such as Akrotiri - UK. But nowadays the luxury of sufficient people and time to cope without the use of computers has disappeared.

I suppose you can always go to an Internet cafe and Google for some MSFS geek's flight planning website?

Or maybe the iPlods will have to accompany you around the world, with your flight planning laptops manacled to their trotters with a stainless steel chain?

The Administrators never acknowledged my letter informing them of my move to France - only sent because it meant I was no longer liable for Reserve Service.

Perhaps MOD could arrange for Paymaster to add a one sentence statement to the P 60's they will shortly be dispatching worldwide as to whether or not the recipients personal data was lost on this computer.

Miss PN2 received her letter today. It was dated 24th Jan. I guess the 11 day delay is because the post office couldn't handle half a million letters on day 1.

When Mrs PN saw the requirement to prove identity her reaction was a more volcanic reaction than some mentioned here earlier.

The only bright spot is that Miss PN2 is now Mrs xx1. However Mr xx1 is probably going to get a letter too.

I'm not sure which is worse:

1 - losing data on those who applied, (we're interested in you, but we don't respect your rights, and we're not very good at paying on time, so continue at your peril)

2 - those who failed FATs/AIB/OASC (here's another kick in the teeth, look on the bright side - we're not c@cking up your pay)

or 3 - those who did join (if you can't take a joke you shouldn't have joined, and we still reserve the right to c@ck up your pay,allowances etc)

or 4, for those who applied, joined, served and left: you thought you'd got away but military admin is going to haunt you til the day you die! :ugh:

As the ex-Miss PN2 observed, it is a matter of luck that she got the letter as she is now on her 4th or 5th address. She expects Mr XX1's letter to be going round the bazaars too.

She also wonders which part of the database her info was. Was it dark blue or light blue?

:mad:

got my letter today

all my info is now in someones hands cheers:D

passport number
name
ni number
and bank details

another cock up by someone

and what the fook is all that info doin on a laptop in the back of someones car :mad::mad::mad::mad:

I understand MoD is now hiring laptops!

Despite best efforts, there are still a few laptops left in MB, but the recent ill-thought-out directives (issued with the aim of covering Swiss Wotsisname's Arse rather than with any genuine intent of protecting data) prevent the MoD from using its own!

As a result, they are having to hire-in laptops, which don't come under the edict, so can be taken off-unit without breaching the regulations.

You couldn't make it up (or perhaps I just did).

F

Everyone is rightly pissed off at the stupidity of having so many records on the one laptop (leaving the location aside for a moment). It has been suggested that a large qty of info of one classification becomes, in aggregate, a higher classification... a principle I recall too.

Question is (and I have been wondering this for a while) how then is JPA classified? It does contain an aweful lot of (admittedly often wrong:\) data on serving personnel. Some are rightly concerned about the danger of it falling into the worst hands... what if JPA is successfuly hacked? :eek: It may be difficult but the scale of the 'reward' must dictate that it be worth some effort. Terrorist access to JPA would be potentialy worse since all on it are guarenteed to be serving, this laptop data is not so 'pure' in that many never joined.

Could a cunning terrorist corrupt JPA in order to prevent those serving from recieving their pay? Just imagine what it would do to morale and retention if thousands of servicemen and women were underpaid every month and nothing was done about it...

If young geeky lads can break into the US defence computers then I am sure that JPA would be a stroll in the park for a determined computer criminal.

Could a cunning terrorist corrupt JPA in order to prevent those serving from recieving their pay?


I don't think it will take a cunning terrorist, JPA seems to be able to do this all by itself....:(

On reflection I think that any would-be hacker would be well advised to leave JPA alone... I think most would agree that the destruction being wrought from within will be more effective than that possible from without...:mad:

Edited for muppetry.

JPA is without doubt the greatest act of sabotage inflicted on the British Forces. For negative retention alone it is priceless. Why would a terrorist or foreign power want to hack in?

No member of Al Qaeda could ever hope to emulate the damage done to the Military by Nu Labour, aided and abetted by the civil serpents.

Well, yesterday came home from work to be greeted by the 'oops we seem to have made an error' letter, however it was not for me it was for the previous occupant of the MQ only 6 yrs out of date!!! :ugh:

Well, yesterday came home from work to be greeted by the 'oops we seem to have made an error' letter, however it was not for me it was for the previous occupant of the MQ only 6 yrs out of date!!! :ugh:

Take it for action. You can be sure that someone else has yours.

The numbers involved are so huge, and we have a date as early as 1969, that it is almost a racing certainty that everyone is on it.

Just to add to the list, though I`m sure its long and distinguished.....like erm...well...TGQ

Found out, I too, am part of the many whose details are spread wide over the world; though I wasnt privy to a letter. My folks up North had the honour to receive it, the letter had been posted to a house I hadn`t lived in for over 10 years...
Go team MOD....

As Hudson said in "Aliens"

"howd do i get out of this chicken S!"t outfit"..

So if the design and location of our outside-the-wire SFA weren't enough of a giveaway, the database with our previous (!) addresses should confirm where we all live in large numbers. joy.

My data has been lost, photocopies (with nonessential information redacted and instructions to destroy) sent to get full details of what was held on me.

I've asked MoD to confirm that they accept responsibility and thus liability in the event of my being prejudiced by their negligence. What is particularly galling is that the letter spins the incident as a "theft" rather than as a catastrophic failure in security at many levels that allowed the theft!

Letter to Information Commissioner and MP will follow...as for ID cards, no way, and even the Census is starting to look dubious (US contractor in line for it....how safe will that data be?!?!)

The only way to stop the cavalier attitude to personal data is to have an automatic entitlement to compensation in the event of loss. Say £500 for each person whose record is lost. Multiply that by 600,000 (or even 25million!) and you have a very large incentive to look after data properly!

As posted at # 7, my daughter has also had “some very personal” data lost on this laptop.


Since the incident she has received a letter explaining the situation with a mega apology from the MOD.


She also rang the help line and has since received two calls from them keeping her informed of developments.


She is more than happy with the way she has been treated throughout this incident.


However what struck me was her attitude (she is only 20). Her main thoughts were for the poor lad that has lost the laptop: no career, no sympathy, and no support. All because of the way the mass media, politicians and the mass population get on the band wagon to blow up an incident out of all proportion and only because it’s the in thing at the moment.


Her words: “Dad, I stand more chance of my personal details being nicked and used from Amazon, Ebay or Paypal than that laptop being stolen by people who are going to actually use the data”.


I must admit I am quite proud of her lack of “I’m going to take the entire world to court, and I demand an explanation, and I want blood” type attitude.


Can’t fault her and certainly proud of the fact that she is not one of the “where there is a blame, there is a claim" culture”

Srennaps, well done your daughter. I think most on here are not so much concerned with 'hang the guilty b^st^rd but how and why was all that information on the laptop in the first place.

Who actually supervised the procedures?

Now the men in grey suits are quite happy to say 'we make the policy and we can't be expected to resign if someone doesn't follow the rules.'

It is inconceivable that a junior officer could collect and collate all that material on his own. Someone, somewhere set up a system or process where he was able to get that data. Was it authorised by someone who has yet to hold his hand up?

Even the regional 1* is unlikely to have needed that quantity of data.

Just what was actually going on?

Just what was actually going on

That is THE key question that has not been answered. I am amazed with the military contacts on this site that no more information that may help answer your question has come to light.

PN,

No disrespect but I think it comes down to “Hind sight is a wonderful thing”.

Since the IT revolution in the RAF (when it finally sunk in to officers that computers were a good thing) there has been paranoia about holding data.

There has been an attitude of “the more we hold, the better it must be”.

The amount of un-usable or not required data on computers has grown and grown since that revolution in the early nineties.

Sadly the processes to keep, and control data has not really changed since those early days and more importantly processes have not even changed with the recent loss of data in other Government departments.

The system was there to evolve as time went on but let’s face it when it comes down to IT (In the RAF) it does not happen until it is too late. We are not good at it.

In the job I used to be in a few years ago, a couple of quotes I remember :

“We have no reason to move from MS DOS to Windows 3,1 and we have no requirement for colour monitors.

More recently:

We will stay with Windows NT as we have no need for Windows 2000 or XP.

I have no idea what the policy is on Vista but I have no doubt that the RAF will get it 3 years after the rest of the world.

The point I am trying to make is that while there is such a negative attitude towards change within IT there will always be complacency and ultimately mistakes will be made.

By sheer fluke, that's probably not such a bad thing......wait until the first upgrade (SP1, Spring 2008 - maybe - & associated glitches have been eradicated), then move across!


Now that is exactly the kind of attitude that I am talking about. The rest of the corporate world seems to manage without SP1 but the MOD (RAF) cant.

I remember an IT security type policeman back in 2002 stating that if it was not for him Bill Gates and Windows 2000 would have gone under. Strange he is still a copper and Bill Gates is still rich.

Realise that this software is tested in places that you can’t even imagine and the addition of SP1 will have no impact on your security requirements.

Based on your attitude you might as well wait for SP2 (because there will be a release in the future). That way you are guaranteed to get Vista 3 years after the rest of the world.... just like previous operating systems.

Since the IT revolution in the RAF (when it finally sunk in to officers that computers were a good thing) there has been paranoia about holding data.

Actually had the reverse paranoia about 4-5 years ago (?) when the FOI came in.

There was a massive clear out of paper and instructions to clean out old files, computer files and the like. The delete folder was to be emptied at switch off etc.

The main driver was to avoid being caught by the Act. The more we held the less likely we would be to know we held it and thus could be open to charges if we unwittingly concealed something.

At the same time the D CinC STC, now CinC Air, declared the arrival of the paperless office. Of course that didn't work as we didn't have the scanner/filer/shredder systems in place. :}

On holding data, I took over a job that had been gapped. With the job came about 6 filing cabinets but no keys. I managed to get through 3 of them before I was posted. One of them contained ancient reports on many of the staff when they had been students. Like a priest I kept my council. Twenty years on I can reveal that one highly respected instructor had a very marginal pass when he was first trained. Still it proved the initial assessment and subsequent training system all worked.

it gets better, cos they then sent letters to everyone on the computer, to the addresses they had at the time, which include service personel living in or used to live in ireland!! i was lucky enough that my old address was on the patch and my mate lives there now, he got my letter, which contained plenty of personal details.

The rest of the corporate world seems to manage without [Vista] SP1 but the MOD (RAF) cant.
No it doesn't.
There is almost zero uptake of Vista in the corporate world, the only Vista PC's in most larger organisations are laptops or similar which won't run XP.
Any PC coming into the place I work (>5,000 PCs) that comes with Vista is "down-graded" to XP before it goes onto a user's desk. We are still buying brand-new Dell desktop PCs with 512MB RAM and ~2GHz Celeron chips which come with XP. These wouldn't have enough memory, CPU or graphics power to run Vista, but are entirely adequate for XP / Office2003. A roll-out of Vista will require us to replace or upgrade thousands of desktops. It ain't going to happen for at least another two or three years, by which time our policy may well have changed to specify Linux/OpenOffice for light users, if only someone can come up with an Outlook-compatible email client + calendar manager + contact manager. I live in hope

Ouch!! This is going to hurt:eek: Particularly as they have named him.

http://www.thesun.co.uk/sol/homepage/news/article791210.ece

AN Army laptop packed with secret information has been handed to The Sun — after a dozy officer left it in a PUB.

It contains personal details of more than 200 soldiers, plus data on their movements, military exercises and weapons store locations.

The computer was left by Royal Engineers Captain Luke Badger after a late-night drinking session in central London’s Troy Club.

A Sun reader found it under a table — and handed it to us.

It even contains the names of troops’ wives and children plus reports on soldiers including recommendations for promotion and disciplinary issues.

The blunder is another huge embarrassment for the Ministry of Defence, particularly as the data was not encrypted.

That is a serious breach of strict rules issued just three weeks ago by Cabinet Secretary Sir Gus O’Donnell.

Following a string of lost data scandals, he banned all laptops holding unprotected information from leaving government offices.

Capt Badger’s computer would have provided a goldmine for terrorists.

The Sun reader, who wants to remain anonymous, said: “I was amazed. He’s been very careless.”

We will return the laptop to the MoD, which promised an “urgent” probe.

For Crying Out Loud!!!!:eek:

Took a laptop to the pub, got sh!t faced and left it behind.:mad:

Words fail. After all the publicity, I realy despair ..... :ugh:

Hole, swallow and the S-word all seem reasonable options.

So one dark blue and one brown one. Light blue turn next?

Fit laptop bags with thermal destruct charges?

At least one hopes that secret information means personal or private or at worst restricted.

aka

Fast Track Promotion... !!!

I doubt Capt Badger's laptop would be above Restricted. The man is clearly a fool anyway.

There are further questions about the 600,000 records lost however. I did the security officer course and subsequent secondary duty (pain in the arrse, RAF police are the best friends you will ever have in this thankless task). It was my job to know at least a little about the JSP 440. So I was left scratching my head, following my letter from MoD saying my details were lost:

- individual protective marking of records: surely Restricted-Staff.
- aggregate protective marking of entire database: I would say Secret (given the tests for protective marking), at least Confidential. Not to be on a bog-standard laptop or IT system.
- Need to hold data: My lost record is 10 years old. I have a corresponding Service record. Is there any need to keep both? If you don't need it, destroy it (and ensure a destruction certificate etc). At the very least, my record should have been archived.
- "Need to know": Does anyone need to have download access to 600,000 records?
- Laptop authorisation: I used to have to sign a Restricted laptop out in advance. Pain in the backside for NATO meetings especially! Who was responsible for the establishment IT security procedures? Normally the CO - in name only - delegated downwards.
- All of the above. We know a hapless matelot left a laptop in his car at the first sniff of rum on a barmaid's apron :}. Walk the plank he should, but the ship is leaking big time, the fish is rotting from the head down etc.... This was not an opportunistic theft (as my letter spun it) or down to an individual error of judgement. Security is supposed to be multi-layered, to prevent one individual making such a mistake.

From the photo of the laptop it looks rather swish for the 'best value for money' or the 'cheapest money can buy' laptop.

Bit like the 777 crash I be we can come up with some good theories and rumours.

I would almost hazard a guess that:

1. It was a private laptop because the security clamp down impinged on his ability to do work.

2. He could have used a company laptop but this would have meant collecting and returning it perhaps out of hours.

3. He took it into the pub to stop it being nicked from his car, assuming he was not on public transport.

Simply the whole laptop issue is fraught.