Pont has hit it firmly on thumb. If it's a data transfer IT SHOULD NOT BE ON A PC!!

Someone, somewhere, is up to something.

The fish smell is overpowering. Methinks 600,000 people should all be just a bit worried; not so much with the loss, but with the way the data was being handled. Knowledge is power, and someone had access to a huge amount of it. Why?

1. Military makes government look bad.
2. Government loses 25m peoples data, making selves look bad.
3. Military continues to make government look bad, government continues to lose data.
4. Government looks bad.
5. Military Officer (not a civil serpent, but a RN Officer) loses data, military looks bad.
6. Government looks slightly better as even the military can lose data, and are quiet at last.

Is it me, or are there 'dark forces' at work here?

(dark forces could well be a 2006 Merlot)

I cannot believe that they have 600 000 names and it is just people interested or appyilng to join the military! As others have mentioned, this sounds like a data base of all the british military going back say 15-20 years. I hope the Sunday press dig out more info tomorrow. Can't wait for prime ministers question time next Wednesday:E

If there are any Fishheads here can they verify the Dark Blue who lost the data? No names, no pack drill, but can they verify it was a real live RN officer? (Can you see where I'm going here?!)


Oh B0ll0x, Black Omega outside allready!

GF
no i can't, its been a long day. Spit it out for us dullards.

Ta!


(they can't send Black Omegas for all of us!)

No independant report that it was an RN officer, just an 'official' statement. Believe what you want (or are told) - (Oh FFS, I'm sounding like MGD or any of his other alias's!)

Too much (or maybe not enough) St Peters tonight. Sleep Bingo caption is lit.:\

The numbers are barely credible.

I was told on good authority that the AFCO foot fall for officers to the RAF is 12000 pa. Even assuming a ratio of 5-1 that could put the airmen footfall at 60000 pa. This could of course sum to the 600 000 for the RAF alone but is it really credible that they recorded and retained records of everyone of these wanabees?

Factor this up for the Army and down for the Navy then the total 10 year foot fall could, I guess, reach 3 million over 10 years. Thus they have 'lost' records for 20% of the people interested in the armed forces?

I suppose this is just credible if my assumptions are right and they didn't include the 80% who just popped in on the off chance 'I was walking down the street and it began to rain'.

As the 12000 wanabee officer initial foot fall falls to 12000 and the into training pilot figure to 120, the whole numbers game starts to skew. OK, into Army training will probably match the higher numbers. Into RAF training, even at the bottom end, will remain far lower.

Kippers for breakfast I think,



from the smell.

These numbers do not add up. Where on earth do they get 600 000 people from interested in joining the RN or RAF whose joint manning totals less than 75 000. Do these figures include all the Sea Cadets and ATC cadets and all those serving in the Reserves? I still cannot see where 600 000 would come from. Which individual needs to have all this information on his laptop - what was his job that meant he could put so many individuals data at risk?
It makes you wonder who else is wandering around with all the details of those currently serving on their lap top just waiting to be pinched.

VMD

To ease the unfounded suspicions, I've got it on good authority that it was an RN officer type. I'm guessing that the 600k figure is everythnig from those who sent in an email to the website asking for more information, to those who went all the way and joined. Given the wastage ratio en route, 600k over 10 years or so doesn't seem that high - say 60k per year, of which maybe 6 - 10k would have joined.

Just a thought, but there have been several offences committed under the DPA98.

The obvious one is the failure to implement proper safeguards to protect the data. I suggest this is the lesser of the crimes. As the Government says, you cannot legislate against this form of human endeavour.

The second, and far more serious offence, IMHO, is the retention of data beyond the period when it would have been reasonable to retain such data. This is clearly a systemic failure going on for more than 10 years.

Clearly no one saw the need to do a filter sort and archive or delete data. I suppose they would argue the need to retain information on a 16 year old as he may eventually return and reapply many years down the line. But to retain the data on an active list or out of archive!

Sunday Times
 

Perhaps some clarification from the Sunday Times article:

The article also discusses the threat to Muslim service personnel following the 'kidnap and beheading' plot of last year.

'Two Jobs' is to make another apology - er "statement" - in parliament tomorrow. To use the same terms as one of his predecessors, is his department really 'fit for purpose'?

I agree with PN. There is no reason that this data should have been downloaded onto a local disc. The security systems should have ensured that sensitive data like this should remain on a secure server, only accessed by suitably authorised personnel and not downloadable.

Technology is now available that you do not need this stuff locally and you only access the information whilst online.

Why doesn't the government get its act together????

Whilst the technology might be available, has it been properly funded and installed?

MoD defends £5bn IT system

HMG recently stated that the personal details of 25,000,000 people who received Child Benefit had been lost - this data included Bank details.

If there are 25 million receiving benefit then there are at least 25 million children out there - total 50 million people so far.

The latest estimate for the total population of the UK gives a total population in mid 2006 of 60,587,000

Thus, if the Child Benefit claimant is the Mother and there is only one child, there are only 10,587,000 people out there to be Husbands/Partners; Grandparents, Great Grandparents, Maiden Aunts, Spinsters, Bachelors etc.

The only way the sums would work out is if the data lost was the personal details of EVERY PERSON WHO HAS EVER CLAIMED CHILD BENEFIT SINCE ITS INCEPTION

Its really quite pleasant here in France.

Back on the laptop.

AFCO has records on a particular system which, I am reliably told, goes back about 3 years. The records from the previous system would not have been transfered to the new system.

The figures of 6 or 10 years and 600000 do not therefore hold up in relation to normal systems out there.

Somone must have done something quite deliberate to actually get 600000 records on to that laptop. As the STh said (I think they did), what was a junior officer doing with all those records.

The following comments are based entirely on uninformed speculation.

I wonder if this might raise a question about protective marking. One person's application data might be marked confidential, or confidential exclusive, but when you bulk up to half a million.... It's the same sort of data, but the sheer volume seems to me to merit a level of protection way above that you'd arrive at by asking only, "What sort of data is it?"

adr

adr,

What you allude to is indeed part of the security mantra of agregation.

It is the same argument for not publishing publicly collated open source material etc as you are potentially focusing a hostile agent on interesting information.

How many people would be interested in the complete data on 10 people? or a 100 people scattered throughout the UK, or even a 1000.

But given a working population of some 24 millions we are talking 2.5% of the working population. Now even a marketting company would die for that focussed data set.

Thanks, PN. So, to vary a little the question you and others have already raised, I'd say, choose one from these two:

• What was (reportedly) an Area Career Liaison Officer of Petty Officer rank doing with a file marked [x] on his laptop, and how did he protect it while in his custody?
• Why was this file marked [y] when it should have been marked [x]?

:sad:

adr

Actually it might be far more than 600,000
 

AA jr applied to join the RN last year. She filled in the officer application form. The form asked for all her personal data, and additionally the name, former name, place/date of birth and passport numbers of both her parents. This will be standard for anyone who makes a formal application, as the info on their parents is reqd for negative vetting. How many more people are now involved, I wonder?

I'm not sure that he should apologise in the HoC for something that is very clearly not his fault nor that of the department he oversees. The officer who screwed up would have been made aware, as we all are, of the dangers and restrictions of carrying mobile devices with sensitive data on them. This was a straightforward case of a blatant disregard of the regulations at a level well below the top of the MoD. Yes, a statement must be made to clarify what has been lost and the way forward and maybe the usual "regret" that it has happened.

In addition to whatever "standard" punishment the officer will receive, I think he should print out 600,000 letters of apology and personally sign, seal and post everyone of them. Cock.

I think its time the Services reviewed the way we do business with our applicants. A simple name, address, tel no and CV is all that is required for a career application at the outset. Nothing more, just telephone directory stuff. All applicants should be made aware that they will be subject to vetting (a page of no,no's could be supplied with the application form to filter out the time wasters) if they are successful at the selection stage. While the number of exams and interviews might reduce slightly (most applicants will get through the vetting stage), the number of vetting processes must reduce down to approx the annual intake of recruits. Its not rocket science and it reduces the amount of personal data held unnecessarily by the MoD.

The Navy recruitment ad ran on the telly earlier with the strapline "Life without limits". Perhaps that should be "Life without laptops", or "...without limits on stupidity":ugh:

Ed

but the addresses are all on the laptop:}

Amazed...
 

Just for interest this is the reply I received after contacting the email hotline:
"Dear Sir
Thank you for your enquiry to MoD Recruitment Data Check.

I have checked the data base using the information you have supplied and I can advise there may be a record which relates to you held on the laptop.
If you require further information at this time can you please apply in writing to the address noted below and enclose photocopies of two of the following document

·A photocopy of the page of your passport with your photograph on it.
·A photocopy of your driving licence (both card and paper counterpart).
·A photocopy copy of a recent utility or other bill, such as a mobile phone bill showing your home address. We do not need to see the details of the bill, just the address
·A letter from your employer confirming your home address.
·A photocopy of any letter from a body such as your bank, building society or council showing your home address. We do not need to see the contents of the letter, just the address.

The address is: Recruit Data Check
Mail Point 403
Kentigern House
65 Brown Street
Glasgow
G2 8EX



I have included some information:
What risk is there with this information being lost ?
MOD’s assessment is that the loss of data does not pose a significant risk to personal security.
We have already informed banks of the potential loss of data for the small proportion of records where bank account information was held. This means that banks have already been alerted to look for signs of any irregularities in these accounts and then to alert individuals.
In addition, at the request of the Home Office, the Association for Payment Clearing Services now play a leading role in raising the awareness of identity theft. Should you have internet access, you may wish to view their website which provides practical advice on to how minimize any potential problem as a result of potential loss of data. This website can be viewed at www.identitytheft.org.uk.

If I am one of the people affected, what should I do?
There are some practical steps you can take to make sure your information can’t be used to defraud you or for other criminal purposes.
You shouldn’t give out personal details if anyone contacts you unexpectedly but take a note of their name and telephone number.
If any of the passwords you use to access personal accounts (for example on the internet) use any of your personal data, for example your date of birth, you should consider changing them.

What steps have you taken to protect bank details?
If you are one of the people whose bank details may have been affected, we have already let your bank know about the theft and they are monitoring your account for signs of any unauthorised activity.
The banks and building societies have told us that they have the appropriate safeguards in place and that there is no need for you to ask for a new account or to contact them.
If your account is used fraudulently by someone else then you will not have to pay but you might wish to take some steps to protect yourself. If you receive bills, invoices or receipts or see entries in your statements for goods or services which you have not ordered you should contact your bank or building society immediately.


Yours faithfully,



MoD Recruitment Data Check"


I find it absolutely amazing that they can't even be arsed to apologise! And what makes them think I'm going to trust the MOD with copies of ANY important documents?
In the time since I submitted my application to the RN, I've had time to join, complete 9 years service, retire and move on.. What the devil do they need data on me on some idiot's laptop for?
Court martial him. And then send him to me...
Steward, my gun!

We have lost your data, so please send all the sensitive bits to us again, so we can lose it again:ugh::ugh:

D O

So you are at 9 years + retirement, maybe we should press to test and see who gets the 'longest' time back where they say

:E

I am furious about this as a close personal relative had their info. on this computer. They have never applied to join or been in the Armed forces but had a job with a link to them. They had an apologetic call from an Army Officer and were given a police number to call immediately if needed as their security is now threatened. I don't know how this laptop went walkies but I hope whoever is to blame will be seriously dealt with.

Is the MOD exempt from the Data Protection Act?
http://www.ico.gov.uk/what_we_cover/...rotection.aspx
Can we expect a mahoosive fine or even a prosecution for the loss of the data that we probably shouldn't have kept in the first place?
Standby for even tighter rules on IT, our laptops and PCs will take so long to log into soon it won't be worth using them :(

I can see no reason whatsoever that sensitive data like this, which contains the personal details of thousands of people, should be allowed to be downloaded onto a local hard disc.

Yes, it may be that somebody may want to analyse this data (perhaps offline) but there is no reason for this data to contain any personal details.

I am sure (at least I hope) that the banks do not allow personal data of their customers to be downloaded onto the laptops of their employees, so why the MoD and other government departments?

The Pharmaceutical industry collects masses of data in the clinical research process from patients (sorry, I mean subjects) taking part in clinical trials all over the world on a daily basis. This data is then analysed by the stats department within each pharma company. None of this data contains personal details of the people taking part in the trials. If they can do it so can government departments.

Anyone who authorises a software program to be able to download personal data onto a local hard disc should be responsible and accountable - in court if necessary.

Do you have data on your local disc which could embarrass you (or the MoD) if found in the boot of your car or stolen from your home??

Think long and hard about this hard now.

.....and what are you going to do about it??

Seeing as my data is no doubt on said laptop I'll have my twogigs worth.

Looking at the MOD statement and the posts on this thread and I'd say it's fairly reasonable to conclude that the 600,000 records is everyone that's enquired and then joined (or not) the two services within the last ten years.

I don't know why bank details would be with that. I don't recall ever being asked for bank details as part of the recruitment process...?

So there's a question about the source of such data and then why was it needed. Were they planning to cold-call those who lost interest? Were they looking to identify target areas based on enquiries, is there an area of Solihull with a predisposition to join the SBS?

I'm surprised that people, especially military (how quickly we forget the IRA) do not know that laptops are an easy target, especially for your average junkie that needs a quickfix.

Very disappointed. For the officer concerned the worst thing, ultimately, is the shame in letting down your colleagues.

When will someone make a public definitive statement as to what has gone, how it was there in the first place, and why it was there?

Swiss Des will be making a statement to the House at 16.15 approx.

Nice thought but that is not fool-proof. It dosn'e cater for people claiming their brother's qualifications and even submitting the certificates.

It could also be argued that retention of application data for the life of an applicants recruitment life, say 16-39, might be justified to monitor whether an appicant has made numerous and unsuccessful applications and even changed their 'legend.'

Retaining or collating all that material on one laptop is an entirely different matter. Surely any data analysis should be done at the HQ level and not an outstation. As it appears itis Air Force/Navy data well the mind boggles 600000 for a combined force of 70-80000.

Stroll on 1615.

The maddening thing about this is that the world-standard database format, SQL, includes as standard the ability to define, grant, and revoke levels of permission for any and all users on the system. Quite simply you GRANT read, edit ON recruits for each user, or each group of users; under no circumstances do you GRANT ALL ON recruits to anyone but the db administrator. However, it seems anyone in government gets to use the DUMP command (i.e. export all records to local disk)...

Whatever this information was being used for, right or wrong, it does not excuse the way it has been handled. It should have been made secure. As someone who has lost his data in this incident, the most annoying part is not that this data was being kept, because as someone who is serving this is expected, but the fact that it was stored in such an irresponsible manner.

I have found myself asking the same questions that have been posed on here several times, why did this chap have these details to take home with him, why were they not encrypted, and why (ffs) did he leave them in his car? If he was doing something dodgy (not neccessarily for personal gain, but just flaunting the I.T. rules to meet deadlines or something along those lines), then why on earth was he not taking EXTRA care?

And as for sending a photocopy of my details off to Glasgow? The jury is still out on that one...

Anyone who works in Birmingham should know better than to leave anything of value in a car in Edgbaston - it's a wonder the car was still there [and I do speak from experience having worked in that area and had my car stolen -that was 30 years ago and I think crime has worsened since then]

Submitted to BBC not too long ago:

I am one of the many serving members of the Armed Services who has had their personal details stolen in the recent theft of a laptop.
Today we received a "signal" that, because the incident had appeared in the press it was probably best that we should all know what had happened. In other words almost a written confession that the MoD would not have informed us had it not been made public knowledge.
This is obviously unsatisfactory but I feel there are further questions that need asking here. For instance why would my details from my application in 1997 still be recorded? This poses many Data Protection Act questions and surely warrants further investigation.
Also, amazingly, when calling the phone number set up to check if your details were lost or not, on confirmation that ones details have been lost they then ask you to post a copy of a bank statement, utility bill, driving license / passport to Confirm your Identity !!!! Unbelievable and just a little incompetent. I shall not be providing yet further information so that it can be lost by these idiots.

I just hope that we all receive a written apology and that some consequences occur ref the DPA.

I DO NOT think that the Lt concerned should be made an example of, yes he was a complete tool for leaving the laptop in the car. The important thing is that this exposes much deeper issues with the way some parts of the MoD are handling our data.

Grrrrrrrrrrrr

That would be D O Guerero http://www.pprune.org/forums/member.php?u=169934 then :)

Having just called the helpline I now know that my details are amongst those lost.

Given that I left the RAF just over a year ago, I can think of no possible reason why a RN Petty Officer recruiter attending an URNU town night in Brum should have in his possession my personal, legal and financial data and then leave it unattended. This simply is not good enough: a balls up of epic proportions from the PO involved but also mismanagement of sensitive information at a higher level.

It seems that some of the personal security lessons of the IRA years have been forgotten by this chap and his heirachy on a monumental scale. Potentially Al Q could now have the home address and family details of everyone who has joined the Armed Forces in the last 10 years (the overwhelming majority of all serving personnel) and the Nigerians could have a bumper harvest financially crippling the same group.

Forgetting the Data Protection Act for a moment and considering the detrimental effect this could have on the security of the majority of personnel, perhaps the Official Secrets Act should be invoked. I suspect, though, that most of this data is 'Staff in Confidence' whereas by virtue of the sheer volume of sensitive personal information it should be handled as Secret or Top Secret.

In short: not a happy bunny. Let's hope the thief panicked and threw the laptop in a canal. Unfortunately, no one will ever know how far this data has travelled until it comes back to bite us on the arse.

I'm sure 'lessons will be learned' as always. Unfortunately they should have been known all along and now the damage may well have been done. Muppets.:mad:

WeeMan - the loser of the laptop was an RN Lt, not a Petty Officer.

Just watching the discussion..

Laptops lost by MOD personnel:

2007: 68
2006: 66
2005: 40
2004: 173 (I am guessing this reflects the early days of extra stupidity)

Of this number, 2 more held recruitment data, one RN laptop stolen in October 2006 (I missed the number of records if it was announced) and 500 records on a laptop stolen from an Army "officer" in December 2005. Apparently it was believed these laptops were encrypted.

I know of one with Tornado data lost by a consultant from Wyton. Documents relating to this theft were reported in local media. One assumes that the figures included that one and that private companies do not hold this data also (CAPITA manage some aspects of Police recruitment?)

Des says he does not believe the problem (of unencrypted data of this type) extends any further than the handling of this particular database, which is managed by Army Training & Recruitment on behalf of all the services.

Liam Fox says this is worse than the Benefit case because it was definately stolen. He also asked whether the laptop concerned was an MOD or personal laptop due to the lack of encryption.

300 laptops have been recalled as part of this enquiry.

The laptop concerned had records dating back to 1997. Of the 600,000, 153,000 records held passport, national insurance, doctors details, religious beliefs, dates of birth and 3,700 included bank details.

Letters were sent to the 3,700. Further letters will be sent to the 153,000. Helpline and email contact established.

Sir Edmund Burton appointed to review. This outside of Police and MOD investigations.

Discussion ongoing.