From the RAF's own forums; (names removed to protect the innocent)
Name:
Date: 27 Apr 2006 16:33
Subject: JPA Insecure?
Message: Having managed to access the JPA system, I am little concerned that the software does not appear to use SSL (Secure Sockets Layer) protection - the https address and little padlock you get when using on-line banking, etc.
This apparent lack of security would allow plain-text data to run around the RLI. As the system is used to record and display personal details, including bank details etc, I find this very unusual.
If I am correct in my assumption about the lack of SSL, anyone smart enough could monitor the network and pick up the personal details that are being sent back and forth by JPA.
I have sent feedback to the AFPAA infoCentre and await their response but thought I'd share my concerns.
Name:
Date: 03 May 2006 13:08
Subject: Re: Re: JPA Insecure?
Message: Excerpts from the Data Protection Act 1998 Ch 29.
Principal Seven
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Interpretation of Principal Seven
Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to-
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected.
Now this is information freely available to all open the RAF Intranet
here if you have intranet.
I am not sure if this has already been covered but it does pose a question or two!!
Edited for spelling!!