Sky News Ticker states "MoD confirms 50,000 Personal Files stolen from RAF Innsworth"

Anyone have any more details? RAf staff or tri service? As the RAF have now left Innsworth is this SPVA/EDS, or were the files lost in transit to Cranwell / High Wycombe?

Well if its personnel files then it means everyone serving lol and some more (IF RAF)

Damm I hope my game is not given away as KIT :E

I think if we tried to flog JPA to the taliban they would crumble within weeks :}

More details here

Safety fears for 50,000 RAF staff after personal files are stolen - mirror.co.uk (http://www.mirror.co.uk/news/top-stories/2008/09/26/safety-fears-for-50-000-raf-staff-after-personal-files-are-stolen-115875-20754809/)

Looks like its a theft from the SPVA but RAF files lost.

BBC sez serving and ex serving.

BBC NEWS | England | Gloucestershire | Personnel records stolen from MoD (http://news.bbc.co.uk/1/hi/england/gloucestershire/7639006.stm)

Hope they don't find out I had my toe nail removed by the RAF when I was in !! :eek::eek:

At least it woz thieves wot dunnit.

This time.

Could it be an inside job, maybe they were swamped with claims and FOI requests!

I wish them luck in finding my 1369s (appraisals to you you youngsters:) ). PMA never managed to do it.

The Kiwi Jacket Thief strikes again? :E

This increases my faith in the goverment to run a secure national identity card system no end!

The official statement is as follows:

The Ministry of Defence is investigating the apparent theft of three computer hard drives from a secure facility at Innsworth in Gloucestershire.

Two of the drives are believed to have contained potentially sensitive personal data relating to personnel who served in the Royal Air Force in recent years; the third hard drive did not contain any personal data.

An investigation is being conducted by the MOD Police, with the support of Gloucestershire Police, and it would be inappropriate to give further details of the circumstances of the incident at this stage.

The theft of these hard drives from a secure location, where they were subject to physical protection standards consistent with the Data Handling Review, is being treated with great seriousness.

An urgent assessment is underway into the detailed nature of the data that was on the drives. There is no indication that the theft was motivated by a desire to obtain the data, nor that the data has been exploited maliciously in any way; but personal information on anyone serving or who has served in recent years in the RAF, Regular or Reservist, may have been compromised. The classification of individual documents is not believed to have been higher than RESTRICTED.

As the detailed assessment work progresses, the MOD will immediately notify any individuals for whom particularly sensitive information, such as financial details, was held and who may have been affected. In the meantime, concerned serving and former RAF personnel can get in touch via email – [email protected] ([email protected]) – or via a helpline (0800 085 3600). This will be available from 1000 to 1600 on both Saturday 27 and Sunday 28 September, and 0700 to1900hrs in the normal working week.

This was posted by the Ministry of Defence. You can find a copy at:
Ministry of Defence | Defence News | Defence Policy and Business | MOD investigating Innsworth hard drive theft (http://www.mod.uk/DefenceInternet/DefenceNews/DefencePolicyAndBusiness/ModInvestigatingInnsworthHardDriveTheft.htm)

Goddammit. This will be the second time all my personal details (bank account, address, NoK, blood group, religion, dick size (large), etc) have been lost by the MoD within the last year, having previously featured in the Birmingham car boot laptop incident. Within a few months of that event I sufferred my first occurence of identity fraud. Coincidence? This is just not good enough and I'm thredders.

When prisoners' details were recently lost, Government departments were apparently clamouring to offer compensation. I wonder when we'll be compensated and our details securely protected - I won't hold my breath!

:mad:

Prisoners (http://news.sky.com/skynews/Home/UK-News/Criminals-Personal-Details-Lost-Compensation-Concerns-For-Taxpayers/Article/200808415084479)
Previous MoD major sy f-up (http://news.bbc.co.uk/1/hi/uk/7197045.stm)

I think this is unlikely to be malicious.

Every small item of electronic equipment, not bolted or welded to the desk has a value and can be used, sold, exchanged, or given away for credits.

Memory sticks, portable drives, calculators, mobile phones, I-phones and players, etc have a ready market irrespective of what they contain. Even encryption is of no consequence because it is usually not visible at the time of the theft.

Every nationality in the world including UK citizens are employed as cleaners, cooks and bottle washers throughout all corners of the civil service and military. The usual security and criminal record checks will not identify a small theft character trait.

If not dumped in the river as being too hot, they will probably turn up at a boot sale in Gloucester for £3:00 each.

Why, why, why do we allow portable anything and windows everything.

Imagegear

The classification of individual documents is not believed to have been higher than RESTRICTED.

Um, may I mention a fundamental security concept called 'aggregation'?

Yes, a single personnel record may only be RESTRICTED. (Actually, it would probably be RESTRICTED MANAGEMENT or whatever the appropriate protective marking is these days). But several thousand of them together should collectively be treated as a single package to be protected at a rather higher level. This falls naturally out of the definition of protective marking levels - what used to be called classifications - as being related to the risk posed by compromise of the material in question. The loss of ten thousand personnel files is by definition more serious than the loss of one, so a hard drive containing ten thousand personnel files should be protected at a higher level than any file on its own.

Modernisation has a lot to answer for! For those of us old enough to remember mainframes, you couldn't stroll off with a couple of Winchester drives up your shirt! :}
Still, it's worrying that there doesn't seem to be any idea of what is actually on the disks, even if they are masters they should surely have backups available somewhere!
I'm sure it won't be long before the usual reassuring platitudes will be trotted out by the MoD, but in the meantime I await a flood of emails - either re dead relatives, or chances to move some serious money from Nigeria.

If they have already lost ones personal details - would it be a wise move to e-mail them? It would give them another piece of information to lose!!


PS. Perhaps someone could point out to them that one cannot usually dial an 0800 telephone number from overseas!!!

:ugh::ugh::ugh::ugh:

Sounds like an inside job by the Ministry of Spooks.....
http://i14.photobucket.com/albums/a341/nw969/Internet/zxzxz.jpg

Someone wants to try to work out who all the naughty people are who are criticising the RAF's 'leadership' :hmm: on PPRuNe.

Vauxhall salesmen report record sales of the latest Insignia, oddly enough the purchaser wanted black ones only, with high capacity batteries, larger alternators and 'special radios'.........:suspect:

Just like that one over therrrrrrargh...................:eek:

... or the culprit (or culprits) could be someone trying to steal their own records in order to hide the true reason they left, or were encouraged to leave, the RAF ... ;)

Can't believe no one has demanded that CAS / CINCAIR / AMP / Air Sec etc either resign or be sacked .....:E

I agree with your feelings on the matter!:ok:

AIDU (http://www.pprune.org/members/181784-aidu)


Quote:
I think if we tried to flog JPA to the taliban they would crumble within weeks
Why on earth would they need JPA?
http://static.pprune.org/images/statusicon/user_online.gif http://static.pprune.org/images/buttons/report.gif (http://www.pprune.org/report.php?p=4423469)


heheheh cause they need to get paid like us

Just tried the 0800 number(available at weekends as per MoD website guidance dated 26 Sep 08), had to endure several annoying automated messages before finally hearing the 0800 number was no more and the good number was now 01256 748 989. Rang the good number to hear they do not work at weekends, Great!!

Just phoned the helpline which turned out to be JPAC helpfull as ever......NOT! It will take up to 5 working days to find out if your bank details are out there in the public domain. They couldn't say how long it will take for the rest of the general info to be delt out. It is being done on a first come first served so I might get it by Christmas.....2010!!

The minimum should be a sacking and the public naming and shaming of the concerned Officers/MPs.

I phoned the helpline this morning. They don't know whose information was on the drives, or what information. Their only contribution was to change banking passwords.

This theft will be particularly galling to anyone who has attended the 'Cornish Walking Quietly Holiday' .

The RAF, or more correctly the service veterans whatever, allows all our personal information to be stolen from a 'secure' site. Somehow, reassurances that the RAF police are looking into it doesnt have a calming effect.

JPA and the Veterans Service blah should be scrapped immediately and administrative procedeures returned to the old system. And AOC Air Command needs to walk, soon.

God Im so p~~~~d off that the MOD not only makes mistakes, but keeps repeating them.

Mr Browne has promised to leave “no stone unturned” in the hunt for the thieves.
I bet the baddies are terrified, as I would be if I was about to mauled by a dead sheep.

They sent my pay statements to Iraq, while I was in Afghanistan!!!!!

Then said they shouldn't have paid me LOA while I was in Afg, despite not having any OWP on arrival. Currently on a 20% pay cut due to JPA f*ck-ups.

Currently looking at legal action into Data Protection Act breeches as to why my pay statements were sent to a hostile country!!

JPA WAS NEVER/HAS NEVER/WILL NEVER BE FIT FOR PURPOSE!!!!!!!!!!!!

I have contacted my bank to advise them that my wife and I might be affected and to monitor my account.

Most banks and building societies are grateful for the "heads-up" as their security dept can help prevent fraud and save the bank and you lots of money.

I suggest all serving and retired personnel consider doing the same as the liability then passes to others (your bank and the MOD).

Can any body see why the RAuxAF may not be affected.

Not one to normally post, I'd rather watch and chuckle but this one really gets my goat. I'm overseas, as pointed out 0800 numbers don't work and when you guys find a normal number they are shut for the weekend. I get paid by 'HMG' now, as far as the bank are concerned so no direct link to the RAF. Perhaps someone supposedly responsible for this debacle might actually provide useful information, guidance and protection for us. For goodness sake RAF wake up and look after your people before there aren't any left.

Mile and a Half,

Yellow hotizontal band above / Left hand end - 'User CP' / Scroll down to the ignore sub menu.

E-mailed the address given, as thought the 0800 number would be busy, at 11:25 today....still waiting even for an (automated) acknowledgement that the e-mail went through.




And why has it taken 10 days for the thefts to be reported?

Phoned at 1820 tonight regarding the loss of data. Directed to option 7.

Recorded message said:

"Please note, the open hours for this office are 10 o'clock 'till 4".

"Noted.....:mad:"

A recorded message with a little more detail was too inconvenient.

"And why has it taken 10 days for the thefts to be reported?"

probably because Binnsworth only provide useful output once every 2 weeks!!!

Another bloody shambles by our second rate employer. In fact I am suprised that they didn't use an 0870 number to rub further salt in the wounds

Its obviously a c*ck up of a big order and a silly middle manager is going to get chewed out. The press release stated that the disks were subject to the appropriate degree of security. Interestingly, it didn't say that the disks were actually within that level of security at the time of theft. It looks like someone didn't put them away or the access codes were not properly managed.

The bank details thing should not be a problem. Every time you write a cheque you tell anyone who reads it, what your details are. The RAF should not have your PIN and other private passwords to permit withdrawals from your account. Anyone who has my bank details can credit my account any time they like.

Q: What do; RAF Records, Child Benefits, NHS records have in common?
A: All been lost/stolen from Government sources in the last 12 months!
lsh
:(

will look forward to the compensation scheme that the prisoners recieved when there stuff went missing
Will it be a JPA claim i wonder

I emigrated half way round the world a few months ago. Despite having no forwarding address from me, JPAC managed to track me down to send me a bill and a letter stating 'sorry we signed-off and agreed that your accounts were in order, we have now decided you owe us a couple of grand'. Meanwhile, my personal details may be amongst those allegedly stolen. Could it be that they are misguided on their priorities? Or just idiots? :ugh:

What steps have they taken to inform those former Service Personnel who came from Commonwealth Countries and returned to their Country of origin after completion of their Service? For example, I served with Canadians, Maltese, New Zealanders and South Africans.

In addition there will be many British Ex Service Personnel who emigrated at the end of their Service. Not all of these people will have access to Sky/BBC TV or British newspapers.

Surely a written notification should be sent to every person affected along with recommended courses of action.

If the accuracy of the info stolen is of the standard as that of the tosh that was sent to me on retirement as supposedly being a record of my service/courses/appointments etc, perhaps we don't have too much to worry about?

Up date to post #34

And there is still no reply to my e-mail


What is the point of giving out contact details if no one responds customer :mad: service...!!!

mileandahalf

In view of your post #45 perhaps you would wish to reconsider your post #43

An apology might be in order as well!!!

I phoned the unhelpful helpline this morning, rather than wait 5 days I contacted my bank who weren't the least interested. The bank adviser reassured me that the worst that could happen is that a direct debit could be set up without me knowing!

Oh that's just great, I told him to make a note on my computer records that I had given the bank the heads up. I am now waiting for the letter to arrive from Innsworth. By the way, Innsworth will be using stored addresses for retired personnel, so if you have moved you stand a double chance of details going awry!

When I eventually got through this afternoon, I got the standard script of write to us with the necessary details etc, etc. Why should I be doing the writing? Shouldn't JPAC or whoever is "running" this outfit be writing to me -- and PDQ if the my personal records - including those of ex-Cpl(W) Mrs 4ma - are affected!! I'll go along with rej's defence of the lad on the other end of the line; it sounded to me like he'd not been given enough, if any, information to put minds at rest, so I was still left with an uneasy feeling and no re-assurance that all was as well as it should be.

Marks and Sparks or Mars probably exercise more effective control on the location tracking of items of ladies lingerie and chocolate confection than the MOD does on its sensitive data.

That’s a bit harsh, every station has a specially trained RAF policeman who advises and looks after IT security. They attend a special course run by the RAF Police to teach them all about it ………. So what do we have to worry about, all the data will have been safely encrypted by the RAF Police, no problems. :eek:

This link

http://www.mod.uk/DefenceInternet/AboutDefence/CorporatePublications/PolicyStrategyandPlanning/ReportIntoTheLossOfModPersonalData.htm

gives the report, and MoD's response, to the January 2008 loss of data.

All that needs to be done is Snopake out all references to Laptop's and pencil in USB Hard Drive's.

At a stroke, I believe I have saved the MoD thousands of pounds in having another enquiry into another loss of personal data. Part of that saving could be used by MoD to TELL US WHAT THE BLOODY HELL IS GOING ON!!

Taxydual

"Part of that saving could be used by MoD to TELL US WHAT THE BLOODY HELL IS GOING ON!!"


now you are making assumptions that the MOD knows what is going on:{

From what I've read it appears that the data loss includes F6000/F7500s since 2002. That's mine included - the second loss of my data!

There is no way I'll be having an ID card, regardless of the sanctions, if this is the government's approach to data security!

Also, I'm starting to think: if they are so careless with my confidential information, why should I be so careful with their confidential information? Can anyone in the Russian or Chinese embassies provide me with a Freepost address...before they lose the information anyway! :E

rej, you are correct.

I assumed that MoD knew what they were doing with personal data.

To assume, to make an ASS of U and ME.

Regards

under I for INCOMPITANCE
...or 'SP' for spelling, perhaps?

Sorry mate, but given where you used to work, I couldn't resist the dig....:E

mileandahalf,

I must confess that I am flattered that you use the same insults in a reply to me as you use in replies to retired Air Officers.

Of course, if you expanded your vocabulary you could find different insults!!

Stacey in JPAC recommends this if you've left:

E-mail to [email protected]

'Please could you advise me whether I am one of the individuals who have been affected by the recent theft of data. My service number is etc and my address is etc etc. I look forward to hearing from you.

Sincerely,

noregrets'

Feel free to copy and paste - it won't get you a reply any faster but at least it'll save you the price of a stamp :ok:

Thanks for that noregrets, most kind.

Stacey in JPAC recommends this if you've left:

E-mail to

'Please could you advise me whether I am one of the individuals who have been affected by the recent theft of data. My service number is etc and my address is etc etc. I look forward to hearing from you.

Sincerely,

noregrets'

Feel free to copy and paste - it won't get you a reply any faster but at least it'll save you the price of a stamp

Further to post #34 my e-mail sent to that address.....still no reply! :ugh:

Further to my last post, I have just received this really helpful reply from RAF data. On the plus side, it did take under an hour to get back to me, so that's something I suppose.

Dear Sir
Thank you for your enquiry to MoD RAF Data Mailbox.
As you are no longer serving with the RAF we need to ask you to write to us and provide verification of your identity and address. The address you need to write to is as follows:
Mail Point 600
RAF DATA
KENTIGERN HOUSE
65 BROWN STREET
GLASGOW
G2 8EX
Along with your request please enclose photocopies of any two of the below.
- photocopy of the page of your passport with your photograph on it.
- photocopy of your driving licence (both card and paper counterpart).
- photocopy copy of a recent utility or other bill, such as a mobile phone bill showing your home address. We do not need to see the details of the bill, just the address
- letter from your employer confirming your home address.
- photocopy of any letter from a body such as your bank, building society or council showing your home address. We do not need to see the contents of the letter, just the address.
Please note that no original documents should be sent and any photocopies of documents that are sent in will be destroyed by us once we have determined your identity.
Yours faithfully,
RAFData mailbox

:mad:

I got one of those too, so I must find more stuff for them to lose.

Why can't they just send out anything they know about to my address, I gave them my Service number, why do they need the rest.?

I really can't imagine! Unless of course they think you may have some info from the disks ...............

Look out for black cars

On the list of documents required to validate address, do you think:

- letter from your employer confirming your home address.
- photocopy of any letter from a body such as your bank, building society or council showing your home address. We do not need to see the contents of the letter, just the address.

Could be met by sending my validictory letter and a pension pay statement?

It would be too much to hope that they could work that out from my Service Number!

N Joe

I think they're hoping most people will give up in despair, which will cut down their 'work' load. You can just imagine the scenario: Stacey in JPAC has been hung up by her ankles over a slow-burning fire for trying to be helpful. The others are brainstorming (or whatever the polystyrene that fills their heads is called) ways of thwarting requests for information. "I know", cries Wozza, ground zero for acne, "Let's refuse to do anything by email. Everytime they contact us, let's demand more and more bits of paper, photocopies countersigned by JPs and blessed by the Pope". Wozza wins that week's award for Action Most Likely to Cause an Aneurism and the key to the executive toilet, which is where they store our paper records.

The IBN that went out today was dated 29 August 2008!!

Maybe they knew about the theft beforehand :)

What happened to proof reading something that would hit 10's of thousands of people to make sure it was correct? :ugh:

Having emailed my service number, asking if I was affected and how, I got this Dear Sir

Thank you for your enquiry to MoD RAF Data Mailbox.

As you have provided details for us to identify you and have a current JPA record, we do not require any additional details at this time.


As soon as the data has been analysed and we have determined what information was on the USB Portable disc drives, you will be notified in writing as to whether you are affected by this incident. This will be done via the address that we hold for you on the JPA system, please ensure these details are up to date.

Yours faithfully,

RAFData mailbox

Mail Point 600
RAF DATA
KENTIGERN HOUSE
65 BROWN STREET
GLASGOW
G2 8EX


Fine, but I don't have a JPA account as I retired just before it came in! As they have my address to send me pension info, I kinda hope that they would have the sense to use that!

sw

Evening all,

My guess is that Service Personnel and Veterans Agency data has gone missing. No proof, no evidence; intuition.

This doesn't just impact the R.A.F. If it turns out that it does then the theft has occurred prior to data integration.

hval

So, service records; don't they include NOK, date and place of birth, address, previous addresses etc? And aren't they the pieces of information required for obtaining credit, accessing information from banks, building societies etc?

I also received the email asking for copies of documents showing information JPAC already has. Should I ask the goon who sent that to send me a copy of his passport to my home address so I can verify his identity before I send him a copy of my passport? Why should I trust this bunch off ar5e-clowns with MORE of my personal information, when they have already lost plenty, and they apparently don't trust me.

Class action suit anyone?

:ugh:

RAF Police IT Specialists..!!!!

Trained by the RAF Police...!!!!

Only reason for RAF Policeman is because the Dogs aint trained to operate radios or drive police vehicles...

Maybe the dogs would get better results..

I'll be informing my Bank toot sweet this AM....

Command Handbrake House strikes again....

Bet someone gets promoted from this F U K up !!

yours disgusted

Perhaps it's just a ploy by whichever couple of underpaid old ladies keep the records of people eligible for call-out under the Reserved Forces Act to get people to write so that thay can update their woefully out of date records?

When I was serving PVR-porridge at Binnsworth, it was pretty obvious why some RAFResA folk were proving hard to find - institutional administrative incompetence.

http://i14.photobucket.com/albums/a341/nw969/Internet/zxzxz.jpg
If you've PVR'd, you're probably still eligible for call-out if you haven't reached your original NRD date. And, of course, you're supposed to keep 'Them' informed of your whereabouts every time you change address. But since 'They' don't tell you when 'They' change address, how can people be expected to do likewise.

I also pointed out that it would be up to 'Them' to prove that 'They' hadn't been told of any address change, should 'They' try to prosecute anyone for failing to respond to call-out! "I rang you ages ago and told you - didn't you write it down" was all anyone would need to say!

mileandahalf

Oxford English Dictionary:

"Pompous" = Magnificent, Splendid

Thank you

I'm interested in investigating a class action lawsuit against the MoD - breach of OSA, breach of DPA, breach of HRA. Depends on the extent of the data lost. Anyone else interested? Not interested in wodges of cash, more the principle, so ambulance chasers welcome!

Safeware (http://www.pprune.org/members/107555-safeware) #68
I also received same e-mail. Have replied both by e-mail & post with;
"As this is your cock-up you must be out of your tiny minds if you think that I am going to send you my driving licence and passport details. If I didn’t know any difference, I would imagine that this e-mail was a phishing expedition. I am afraid that it is up to you as the data controller, as defined in the Data Protection Act 1998, to look after our sensitive data.

In my initial e-mail, I gave ample information for you to identify me. It is now up to you to ensure that no financial loss or security problems result from your negligence. My bank has been informed of the possibility of fraud and should any problems occur in the future, you will be held responsible, in law.

Yours faithfully,"
:ugh::ugh::ugh:

Hey Jess

Absobloominlootely go fer it. The stress is already causing me sleepless nights (and afternoons now that I am a civvi!). I have had the standard response too but why would I send even more private data, which matched up to the stuff that they have already lost will mean that some scroat can nick my identity:ugh:

Ed

Jess, it sounds a good idea but just what is involved?

Those of us who've left might be interested to know that I've just received an e-mail reply (some 28 hours after my initial enquiry):

Dear Sir,

Thank you for your enquiry to MoD RAF Data Mailbox.

As you have provided details for us to identify you and have a current JPA record, we do not require any additional details at this time.

As soon as the data has been analysed and we have determined what information was on the USB Portable disc drives, you will be notified in writing as to whether you are affected by this incident. This will be done via the address that we hold for you on the JPA system, please ensure these details are up to date.

Yours faithfully,

RAFData mailbox

Mail Point 600
RAF DATA
KENTIGERN HOUSE
65 BROWN STREET
GLASGOW
G2 8EX

Dear Sir indeed! Still, the system seems to work so far... :bored:

I've just received an e-mail reply (some 28 hours after my initial enquiry):

What a super fast response you got.

Sent my e-mail at Sat 27th Sept 11:23. Finally got a reply 30th Sep 15:16. Only took 75 hours to send me the standard "we need you to prove that you are who you are so we can add that data to that which we held on you but have lost" reply.

Stunning customer :mad: service.....

A suggestion for a place to start with research:

Complaints about data protection policy - ICO (http://www.ico.gov.uk/Home/complaints/data_protection.aspx)

Edited to add:

Bored with studying, I took some time to read the Data Protection Act this arfternoon....

Section 64 makes provision for written requests to include e-mail:

"The requirement that any notice, request, particulars or application to which this section applies should be in writing is satisfied where the text of the notice, request, particulars or application—
(a) is transmitted by electronic means,
(b) is received in legible form, and
(c) is capable of being used for subsequent reference."

Regarding Rights of Access, section 7 allows the Data Controller to request "such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information which that person seeks."

So proof of identity is required, but not proof of address.

I would recommend to all those who have received the demand to make an application in writing to a snail-mail address, to include proof of ID and address to reply instead by E-mail and include a scanned copy of photo ID. If the eedjuts don't respond iaw the Act this time then they will have yet more questions to answer to when the Commissioner steps-in.

:=

FLASH:

MOD to announce that following the ruling on security of laptops similar rules are to be applied to desktops.

Users are not to log on and Desktop PCs are not to be switched on until users are instructed by email so to do.

Once switched on, users of stand-alone PCs are to run the following command at the C: prompt> C:> Format C: and answer YES to the following question.

Users of network machines need take no action until they receive the email telling them to switch on and log in.

This message is from RAF Police Central. If you receive this message by mistake you are to ignore it and telephone the JPAC enquiry centre to tell them you have received it and that your data has been compromised.

:ok:

Reminds me of the (probably apocryphal) tale of some visitor at a computer fair. The chap at the stand in question was proudly demonstrating his 'voice interface' software...

"It does what you ask - you don't need a keyboard"
"Really? That's rather clever. Can you show me?"
"Certainly sir. Let's try this: OPEN FILE DEMO!"
"OK"
"FILE PRINT"
"OK"

And 'Demo' was duly printed. The visitor then had in idea....

"Can I have a go?"
"Of course, sir"
"Thanks. C PROMPT!" "OK" " C FORMAT!"

"You bugger!!"

To Whom It May Concern

Yesterday I telephoned the JPAC helpline for the loss of RAF and veterans data. I was treated very badly by the "call handler" on the other end of the telephone. Furthermore the call handler has informed me that for them to investigate who I am I need to send in two more pieces of personal information with my service number to prove who I am. I will not be trusting any more of my personal data to the same people who managed to lose so much data in the first place. I have contacted my banks and advised them I am an "at risk" client and they are to take maximum measures to protect my finances and data.

My service number is XXXXXXXX.

Assuming you have not lost my entire RAF history then you can telephone me or email me at the address this mail was sent from and using my file ask me questions to identify me correctly - then you will be able to tell me whether or not my data has been affected. If you cannot find my file then, obviously I have been badly affected and you need to tell me urgently.

Be futher advised I am seeking legal advice with regards to this matter.

Also note I am emailing you from my work email account as I do not wish you to have access to my personal account.

Yours, with considerably more professionalism than has been shown by the RAF

I agree with the sentiment, stormrider, but what's the odds they won't reply? after all, that would mean the would have to do some work!

I am hoping that I offend some halfwit manager enough to get me in for a bollo44ing. After all, I'm still in the reserves aren't I?? I want to see how many of them I can p*ss off. I mean, it's not like the rest of us are this careless and incompetent in our jobs - we'd all be unemployed if we were.

So much for the idea of getting a straight "Yes" or "No" based on my service number...

Dear Sir

When we receive your identification to the address provided we can then confirm if any of your information was held, this will be sent to your home address.

Unfortunately until then we are unable to provide any information.

Regards

I'm going to have to send some stuff off to these idiots, aren't I...?

So much for the idea of getting a straight "Yes" or "No" based on my service number...

I'm going to have to send some stuff off to these idiots, aren't I...?

Yet another bolleaux eh!. After the previous bolleaux, and you might ask which one, Miss W2, as was, received a letter telling her that her data had been lost. This was sent to her old address, no questions asked. No questions such as "this is the MOD, if Miss W2 no longer resides at this address please return to sender" or some such.

It had her name and address thus confirming the worst and potentially telling this to complete strangers.

So in this case why not just write to the addresses they have on record?

EDS are also helping us with our investigations.

Love it. Isn't this the phrase used before an arrest?

Is it a security breach? No said the spokesman.:confused:

Sent the following reply to rafdata following their "provide proof of address" request. I don't expect it to do any good, but it made me feel better.:ok:

Dear Sir/Madam

I am writing to question the need to provide hard-copy confirmation of my address. My final RAF pay statements were sent to the address I gave below. My pension statements are also sent to this address. When I left the RAF, I received a letter from Kentigern house, again to this address, stating that Service Number and date of leaving were all that was required in future correspondence to verify my identity (your ref EDS/AFPAA/######## Dated ## ### ##). As I have given you both of these, and Section 64 of the Data Protection Act provides for verification of identity to be provided by e-mail, I believe that you should have all the information that you need to answer my original question.

Yours

N Joe

Contradiction in terms there - 'EDS' and 'helping' in the same sentence.

What I don't understand is why photo-ID is required. Is someone going to come to my house and check? I imagine there'll be a rush to check out the folks in Oz, NZ etc:*

Having provided proof of ID via email (a scanned photo id document) they are STILL refusing to tell me if they've lost my data. I have asked the Information Commissioner for advice; I'll let you know what he says.

:ugh:

Had the standard email reply back and then contacted my bank. They recommended this company.

Welcome to CIFAS Online - CIFAS Online (http://www.cifas.org.uk)

For about £14 per year they can ensure that nobody else can set up direct debits/standing orders on your account.

I have 2 questions:

1. Does anybody have any knowledge of this company?
2. Because the requirement is due to an admin mess up, could I claim for it on JPA?

I had exactly the same proof of data email at 1825 yesterday - looks like a batched response.

I pointed out that I was not retired and indeed using an internal MOD system. I got an apology 2 hr 9 min later. :)

The spva website (Help, Advice & Complaints (http://veterans-uk.info/complaints/complaints.html)) confirms that DPA requests can only be submitted in writing - apparently contrary to Section 64. :=

N Joe

N Joe - It is that point that I have specifically complained about to the Information Commissioner. Not only has my sensitive personal information probably been compromised; they won't even acknowledge the fact unless I sent hardcopy - they're adding insult to injury now.

My bank has referred me to this site too. This really is appalling stuff. In my new Company, theft of my identity could result in the loss of security clearnace, which would seriously impact on my ability to do my job. HR advies that potentially this could lead to dismissal on the basis that I cannot do my job. Maybe being a little paranoid but it would help to get some answers from my caring ex-employer who I worked for man and boy for 30 years etc. I would really like to know why this information was backed up to mobile media such as a 'dongle' - was it encrypted - god knows as MOD are saying nothing:ugh::ugh:

I rang the helpline yesterday. Gave my name, rank, DOB and service number and was told they had no idea if my data was missing or compromised and that I should keep an eye on bank accounts for suspicious activity.

My bank, Barclays, has recommended me to sign up to CIFAS as well. They advised that the only downside is there may be delays if applying for credit, but at least the assurance is that the system is working as advertised.

As for the clowns that have caused this debacle, they have now received my written application and if any of them are reading this - the clock is now ticking for them to reply and it doesn't have a pause button.

Reading the Information Commissioner's web-site, it seems to be a bit of a toothless organisation so I feel a visit to my solicitor and/or the police station may be in the offing.

Bladdered, I fully agree with your comment about the 'dongle' - why are they even allowed in such a sensitive area?

Today, saw the MOD's FAQs Sheet on this topic. If you haven't seen it, don't waste any energy tracking it down; most of the info was available from this thread.

The most useful answer was that most of the data lost was Annual Reports and only a small proportion of the individuals affected will have lost financial information.

The least useful answer was that the MOD does not consider this a security breach:confused:

N Joe

ACRs, MOD Form 2020, F7500 or whatever are Restricted-Staff. That is a protective marking. The aggregate protective marking of a large number of records would be higher than Restricted. See JSP 440.

It is a security breach. Any claim to the contrary is a lie and an attempt to downplay the incident. They cannot be trusted with personal data and won't be getting any more from me until I claim my pension.

Not sure what is involved in a legal action but I know others have sued the MoD this way - particularly over pensions pre AFPS 75. There would seem to be possible breaches of the Data Protection Act and Human Rights Act as well - any lawyers out there.

Worth pursuing with MPs once Parliament returns as well. I would suggest an apology from SoS Defence and AMP would be appropriate.

It is a security breach. Any claim to the contrary is a lie and an attempt to downplay the incident. They cannot be trusted with personal data and won't be getting any more from me until I claim my pension.

It is a play on words. I would have to look up the definition of security breach. The MOD spokesman seems to imply that a security breach would occur if the door was left open or someone emailed the lot out or left the data in a pub or locked car contrary to orders.

In this case it was not a security breach but a breakin, burglary or theft. None of the chosen were at fault so it was not a breach of security orders.

Simple.

Now that smoking is banned in the work place you will have to rely on mirrors alone.:cool:

Apologies if people think this thread should be linked to previous ones.

I had the same "chinning off" as others appear to have had when I contacted JPAC to see if my details were on the Innsworth missing hard drives. "Someone will contact you if we think you are affected"

Is it coincidence that, doing my accounts this morning I have, for the first time had a fraudulent transaction on my account? Having spoken to my bank and had my account frozen/cards canceled etc...They advised me that in order for the purchase to have been completed the :mad:'s would have to have known my card/bank details and my address!! I keep my account/personal details as safe as possible!!! (Notice I said I keep them safe:ugh:)

This might be a "one-off" and I might just be unlucky, but my immediate thought is whether anyone else who might have appeared on those elusive hard drives had similar issues:confused:

TVM

phew, still OK here.

I'm not RAF so I don't get paid via Innsworth but I have had fraudulent transactions on my debit card. First time I noticed my account was light by over £1000 when I withdrew some cash at an ATM. I queried this with the bank, and they read off some transactions at several different Tesco stores (never use his card at Tesco stores) which were certainly not mine (over £300 each.) Anyway I got this sorted; new debit card and my money was re-funded, then about a year later there were two ATM withdrawls on my mini statement of £98 each which weren't mine. Queried this and they asked if I'd been to Montreal 'cos that's where the money was withdrawn - $C200 each. Another card later and my money re-funded again!!
Funnily enough, I was in an optician and a guy there paid a bill with his credit card, and immediately got a text message. He explained it was an automatic system with his bank 'just in case' there was a fraudulent transaction as previously he'd been phoned in the early hours one morning to ask if he'd just bought £2000 worth of photographic equipment in Spain, which of course he hadn't!!

Innsworth - news (http://www.wikio.com/news/Innsworth)

Has anyone been contacted by the `powers that be` without themselves contacting the `powers that be` in the first place re this theft?

I left in 1995 when PSF was usually staffed by rather attractive young ladies and the chief clerk was the font of all knowledge things admin.

Now it appears the admin system has collasped and some thieving muppets go and steal my records due to a lack of basic security


Mr bloody angry - Devon

I understand from a very reliable source that the RAF Data goons will now accept scanned ID by email. :cool:

I e-mailled as soon as the story hit the streets.
Five days later I got a reply stating that I needed to write in and send proof of my identity such as passport, drivers licence, utility bills .......YEAH RIGHT!!!

They cant keep what they've already got in safety so they sure as h*ll not getting my up to date passport , address and driving licence details.

Bl**dy Muppets (sorry Muppets, generic not personal!).

Load of wasters.
Doc C

I understand a Nigerian lawyer is offering to give true ACR debriefs for a small sum of $11 000 000. All he wants is my bank account details. I kindly declined.

Tongue out of cheek, I haven't heard anything from SPVA/JPAC; s'pose I'll give them a call once I've checked my blood pressure.

Bigt wrote:
Has anyone been contacted by the `powers that be` without themselves contacting the `powers that be` in the first place re this theft?


I suspect they are trying to save on postage by only replying to those people who have contacted them in the first instance. I have still not received a reply to my enquiry and the clock is ticking down for them to respond. I've copied the following quote from the SPVA's own web-site:

"Our Mission : To deliver reliable, trusted and efficient personnel services to the Serving and Veterans communities.”

Shows they really care!

Hello
First post on here from a long time lurker. Sent this letter to SVPA recently:

"Please inform me what data relating to me was on the storage devices recently reported in the press as being stolen from SPVA Innsworth.

My service number was XXXXXXX I retired on XXXXX as a XXXXX. My address (above) is that to which information on my RAF pension is sent.

As requested by your helpline operator yesterday I attach copies of two items of identity/address confirmation. I do this under protest. In circumstances such as these the data owner/holder (ie SPVA) should immediately and automatically forewarn all those possibly subject to data compromise, at their last recorded address. Further specific information should be provided as the investigation progresses. It should not be incumbent on those at risk to have to request information and to provide proof of address or identity.

My costs in this matter to date are:

Time:
Follow up internet search after release of story for more specific details; identification of help line number: 30 minutes
Conversation on helpline: 5 minutes
Preparation of this letter: 10 minutes
Journey to post box (return) 15 minutes

Total 1 hour. At my current charging out rate of £200 per day = £25

Direct costs;

Postage: £0.34. PC ink/paper £0.16. Total £0.50

Please attach your remittance of £25.50 to your response to my request for information, or pass this letter (as a bill) to the department responsible for this debacle (ie not necessarily the one that lost the hard drives, but the one who should have implemented a better follow up/damage limitation process that conformed to the Data Protection Act in the context of loss or compromise of personal information)."


I don't hold out much hope for a repayment of costs - its the bl**dy principle of having to ask for details that stinks. When the DHSS or whatever it's called nowadays "lost" details of Child Benefit Recipients not long ago they wrote to them all individually.

(former) Stacker

Stacker

I like your approach, billing them for your time. Can't believe they'll take you seriously though, quoting £200 a day for a stacker.

You should have chosen a far lower rate if you wanted to be taken seriously.;)

N Joe

stacker, you need to find yourself a better job. I wouldn't scratch my gonads whilst staying in bed for £200/day. :p

Received a letter in the post today. Postmarked Gloucester. Thought it was going to be a pay rise or a bonus....but then my hopes were dashed. Oh well never mind.

Dear OTTB,

Following your request, we have carried out a search of the information that had been transfferred to the drive; they include general service information relating to your self.

Not very specific really....

I hope you ISS'd the letter and sent it back to them (Sp). :p

Another drive missing.........

BBC NEWS | UK | MoD computer hard drive missing (http://news.bbc.co.uk/1/hi/uk/7662604.stm)

This is taking the pi$$ :mad:

Why did it take more than 24 Hrs to issue a statement?

Are MOD going to accept liability for any fraudulent transactions carried out in the period from notification of the loss of data and the statement issued to the Media?

What assistance is being provided for the Families of those on Active Service to help them cope with this situation?

WHY HAVE HEADS NOT ROLLED?!!!!

Rant Over.

We might as well put our names and addresses, bank details, inside leg measurements etc etc...on the internet. At this rate they are just as safe there are they are with the MOD.........:mad::mad:

The MoD said it was told the drive was missing on Wednesday following a priority audit carried out by EDS.

......how many months before the audit was the drive "lost"? :ugh:

Was the audit carried out prior to EDS leaving the contract? And leaving the contract beacuse an audit was necessary?

Hey all, its been a while since I have been on here and would like to say thanks to all who have contributed to this thread.

I followed the advice given in earlier posts and have just received a letter from AVM Simon Bryant.

The crux of it reads:-

"Following your request, we have carried out a search of the information that had been transferred to the drive; they include medical casework information relating to yourself"

blah blah please accept my sincere apologies on behalf of the Ministry of Defence.

I am absolutley gutted how this could have happened. The Royal Air Force has let me down badly. Any advice from senior officers welcome.

Data Protection Act (http://www.ico.gov.uk/what_we_cover/data_protection/the_basics.aspx)

The Act works in two ways. Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:

Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than is necessary
Processed in line with your rights
Secure
Not transferred to other countries without adequate protection

Should an individual or organisation feel they're being denied access to personal information they're entitled to, or feel their information has not been handled according to the eight principles, they can contact the Information Commissioner's Office for help.

Complaints section - Information Commissioner's Office (http://www.ico.gov.uk/Global/online_enquiries.aspx)

Looks easy enough to do and can be done via e-mail.

Note that there are now three data losses. The Information Commissioner held that the MoD was not in compliance with the Data Protection Act (third and seventh principles) and issued an enforcement notice, with the requirement for 3 monthly monitoring reports. MoD issued a response to this, detailing how the 51 recommendations of the Burton report (response to data loss 1) would be addressed. Information Commissioner also took account of Article 8 of ECHR.

The issue of compliance and non-compliance is not in doubt: MoD was not compliant with the DPA when these losses occurred. A key issue is how the implementation of the Burton recommendations was being carried through. Was anything kicked into the long grass due to costs? Was there an immediate tightening of procedures, or did they sit with the proverbial thumb inserted over the summer? Do these data losses even precede data loss 1 ie. not picked up until now - what is the chronology?

It is clear that MoD are liable for compensation claims for damages arising from data loss 1 and will probably be liable to claims arising from these second losses. The Information Commissioner found that distress had occured, but compensation is normally only payable for distress when damage has occured as well. I do wonder how restrictive the "normally" caveat is...perhaps it needs tested in court! :E

http://www.ico.gov.uk/upload/documents/library/data_protection/notices/mod_en_final.pdf

http://www.mod.uk/NR/rdonlyres/F0437ECE-F5E6-4246-B4A8-8E63B789C915/0/burton_action_plan20080625.pdf

http://www.ico.gov.uk/upload/documents/library/data_protection/introductory/claiming_compensation_2.0.pdf

Jess, scanned the Burton report. I know at least one item that has not got this far down the tree - CD and Floppy audits.

I asked the question before June about allowing Atlas to walk off site with the old HDD and was told 'no problem.'

Not now there isn't, they won't!

How come the MOD (SPVA) won't tell me if they've lost my data without hard-copy photo ID but the MOD (Recruit Data) were quite happy to respond following e-mail validation of identity?
Thank you for your e-mail response.
I have checked the database and can confirm that your information is not stored on it in any form.
As a negative trace has been returned we do not have any information to send you and therefore trust that this satisfies your query.
N Joe

N Joe, the RAF Data e-mail contact advises that they will now accept scanned copies of the required docs in place of hard copy being sent to Glasgow.

Joe, was that data loss 1 (recruit) rather than data loss 2 (records) or data loss 3 (everybody else?)?

When I came out of the R.A.F in 1961 all I came out with was a pair of P.T shorts and a pair of work boots. I hope they don't ask for them back. I've still got the boots.

Greycoat - will give that a try, thanks

PN - (1) didn't get me, (2) might have but I don't know yet, (3) probably will.

N Joe

This week's RAF News says that the MOD have written to everyone affected by the data loss. Has anyone received a letter? Does that mean I've escaped again?

N Joe

Joe, see my earlier post. Just f:mad:ing resigned to being f:mad:ed around by f:mad:ing morons.

PS, found thay took 3 HDD away a fortnight ago, no paperwork.:eek:

N Joe wrote:

This week's RAF News says that the MOD have written to everyone affected by the data loss. Has anyone received a letter? .......
N Joe


No letter received at this location. Anyone with an idea when a blue moon is due?

Got my letter today for all the use it is. Just said that the lost disk contained 'general service information' relating to me....but was no more specific than that! :ugh:

However AVM Bryant did suggest that I visit www.identitytheft.or.uk (http://www.identitytheft.or.uk) to get guidance on further protection against identity theft!!!:rolleyes: Tw@t.

Needless to say his rather crap letter has not 'allayed my concerns' as he felt it might. :mad:

You've gotta larff. Also received my letter having given the two pieces of proof of identity each identifying me as Grey Coat and yet they have managed to address the letter to Pink Coat which coincidentally happens to be my father's name who also served in the RAF, retiring in 1989. You have to marvel at the level of incompetence.

Just got my letter this morning - 16 Oct. The information that related to me was "security vetting casework information".

Bloody marvelous.

Still, the 2-star said sorry (with his photocopied signature)

All's well then isn't it :ugh::{

rej, do tell. This is your chance to set the record straight :)

Are these letters arriving at home or work addresses?

Mine came to work...albeit with an incorrect address (wrong post etc). :ugh:

Re-reading the Information Commissioner's enforcement notice, it struck me that he had found that ECHR Article 8 had been unlawfully interfered with due to the failure to maintain principles 3 and 7 of the DPA.

I've now been the subject of data loss on three occasions due to MoD...can I hear the sound of a cash register....ker-ching! :ok:

The information that related to me was "security vetting casework information".
You gotta be sh!tting me? I couldn't think of anything WORSE to lose than that! That's not just an inconvenience, that's a serious security breach - one for which heads should roll!

...although I'm not holding my breath.

TheInquisitor

I agree. But what can I do. You have to be pragmatic about these things. If I were to loose/steal info, at best my arse would be hauled over the coals.

But I'm just a number (and thanks to the useless sods who look after my personal info I would hate to think how many scallies have my service number by now) and I am under no illusion that the 2-star or anyone at the top really gives a ****. It could have been worse though, my last "stunning" OJAR might have made it onto the streets for general consumption:E

I am intelligent enough and cynical enough to know that apologies mean nothing. In fact I feel quite honoured that they spent 34 pence on the postage, but there again an email on DII would never have got through would it (farce number 8million three hundred and fifty six thousand.................)

Well probably identity theft as a result of the data lost.

Close relative has lost £1650 from her bank account.:mad:

Bump.

A good few weeks later, I have heard nothing - sent the photocopies off. Has anyone affected actually received copies of their data, as for the first RN laptop loss? Are they sitting on this until the first three-monthly monitoring report has been released so they can say they are doing something about it?

Also, call me a cynic, but I find it hard to believe the loss has been taken seriously, fobbed off with a link to a Home Office identity theft website. Has anyone actually received any proper advice or aftercare? Is there actually a proper risk assessment carried out on these data losses?

I'm thinking about contacting my MP to try and get some answers.

Did anyone else see the notice on the Nov pay statements that went along the lines that we must all protect data to ensure that it is not lost or stolen.

HYPOCRITES :ugh: