MoD Data Loss – Can It Get Any Worse?

by on October 11, 2008

Another day, another… hardly a week goes by without… if I had a fiver for…. I’ve lost count of how…

The latest incident of data loss really, really plumbs the depths. I’ve started to pay less attention to the detail of such cases recently because it’s plain they’re simply endemic, human failings and not something we can somehow cure by tinkering around the edges. But I’ve just been reading this, which says:

“The portable drive contains the names, addresses, passport numbers, dates of birth and driving licence details of around 100,000 serving personnel across the Army, Royal Navy and RAF, plus their next-of-kin details.”

Wow. Just… wow.

The icing on the cake is that it was all on a portable drive as well. Words fail me. All that data in ONE PLACE.

The person who finds that drive and wants to exploit it would become unimaginably rich on stolen identities for pretty much the rest of their lives. I suppose if the MoD have a record of exactly who’s details were on the disk, they could re-issue things like national insurance numbers and driving licences to prevent some of the more obvious exploits like credit card applications, but even then the possibilities for other avenues of exploitation using this information would be huge (Next of kin! For pity’s sake!!).

Data needs to be treated as if it were nuclear waste, or a volatile explosive mixture. It would be just about OK to have a list of 100,000 driving licence numbers if these were kept physically separate from, say, names and addresses (eg keying them on a one-time ID), but when certain classes of data are kept TOGETHER like this, it should be every right-thinking person’s reaction to scream the house down in panic on its discovery.

We have to assume that at some point, all data will leak out somewhere. All we can do is to to ensure than when it does, it’s not actionable.

Oh, and by the way – you can probably forget encryption. I used to be a fan, but bitter experience showed me that people don’t understand it, and in most cases those who steal data will steal or otherwise obtain the keys as well.

Comments

No. DRM does nothing but “keep tall users tall”, as Cory Doctorow once put it. When data is out, it’s out. You can only try to ensure that what gets out isn’t actionable. So, the crime in the MoD’s case was not to extract the data, but to keep it all in one place in an actionable form. If I find a list of names on their own, then I can’t use that for much. If the list is accompanied by national insurance numbers, then I can. Kerpow.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>