Browne announces review on MOD information security

The announcements follow the theft of a laptop containing information about potential recruits, from the car of a Royal Navy officer on the night of 9 January 2008.

In an oral statement, the Defence Secretary updated the House of Commons on the action he and his Department had taken since then:

• The theft was being investigated by the West Midlands Police, assisted by the Ministry of Defence Police.
• The Information Commissioner and police authorities had been informed, and all similar laptops were recalled from their users and secured as an immediate precaution.
• The Association for Payment Clearing Services had been alerted so that banks could monitor the accounts affected, to prevent unauthorised access.
• The intelligence services had been informed assessed whether this incident could lead to an increased threat to our personnel.
• Letters had been sent to all 3,700 whose bank details were included in the database, and were now being sent to the 153,000 people who applied to join the Royal Navy, the Royal Marines or the Royal Air Force during the relevant periods.
• The MOD had set up a free telephone helpline, e-mail address and an address for correspondence for use by anyone concerned about the implications of the data loss and seeking further information.
• The Royal Navy had completed an investigation into the incident, taken steps to prevent a recurrence and the Navy chain of command was now considering appropriate action against the officer concerned.
• An internal investigation by the MoD’s Head of Security had established that, in addition to the laptop stolen on 9 January, 2 further laptops potentially containing similar data have been stolen.

The Defence Secretary then set out the further actions he had set in train:

• He had asked Sir Edmund Burton to conduct an independent review of the circumstances which led to the systemic failures.
• He had appointed, with immediate effect, a senior dedicated Data Protection Officer, to ensuring MOD practices and procedures are at the highest possible standard.
• He had made the MOD's head of security the sole authority for granting security accreditation for IT systems, so that in future any issues or doubts about the efficacy of security measures are raised to the highest level in MOD Head Office
• He had directed the MOD to continue to engage in the Cabinet Office-led review of data security, following the earlier loss of personal data by HM Revenue and Customs.
• He had initiated an internal review by MOD IT security experts of all IT systems in use throughout MOD and the Forces to make sure that there no other systems are at risk.

The full text of the Defence Secretrary's Statement is below:

STATEMENT BY DES BROWNE, DEFENCE SECRETARY, TO HOUSE OF COMMONS, 21 JANUARY 2008: THEFT OF MOD RECRUITMENT DATA

Mr Deputy Speaker, with permission I should like to inform the House about the theft of laptop computers from MOD vehicles and premises.

The MOD has clear policies, systems and procedures in place to protect the security of information – both personal data and classified information. We have software protection through encryption and a formal information security process through which individual IT systems and the databases they contain must be accredited by the appropriate MOD authorities. Our internal investigations following this theft reveal that those procedures were not followed. This was a breach of MOD security regulations.

Since police investigations of the theft are at an active stage, I am limited to what I can say about the incident. But, it occurred on the night of the 9th January in Edgbaston, Birmingham. The laptop was left in a car, which had been parked overnight and was unattended.

The stolen laptop contains personal information on around 600,000 people, the majority of whom simply have expressed an interest in joining the Royal Navy, the Royal Marines or the Royal Air Force. We have no reason to believe that this theft was specifically targeted against the officer or to acquire the laptop for the data held on it, but we cannot wholly discount this.

Early the next morning, as soon as it was discovered, the theft was reported to the local police and the relevant authorities in the MoD. Mr Deputy Speaker, it is not clear to me why recruiting officers routinely carry with them information on such a large number of people or why the database retains this information at all. The information held is not the same for every individual. In some cases, the record may be no more than a name.

But I am advised that, for about 153,000 people who progressed as far as submitting an application form to join the Forces, more extensive personal data is held, including passport details, National Insurance numbers, drivers’ licence details, family details, doctors’ addresses and National Health Service numbers. For around 3700 people, banking details were also included. The records largely date back to 2003, although some records may date back as far as 1997.

Ministers were informed of the loss of the laptop on Friday 11 January, although at that point it was believed that the data was fully encrypted. That is relevant because the level of encryption used by the Ministry of Defence on its computers is stronger than that used for commercial applications and our IT authorities judge that a significant amount of time, resources and in particular expertise would be needed to access the data in a readable format.

The fact that it was not encrypted was reported to Ministers on Monday 14 January. Subsequently, the Information Commissioner and the police authorities were also informed. As an immediate precaution, all similar laptops were recalled from their users and secured. This was completed by 18 January.

The theft is being investigated by the West Midlands Police, assisted by the Ministry of Defence Police and after consultation with the Police about the impact on the investigation were the theft to become public knowledge, although I was ready to do so, I decided not to make a statement to Parliament last Thursday.

Unfortunately, news of the theft of the laptop was reported in the media on Friday evening and the MOD was obliged to issue a brief statement setting out the facts of the incident, as they were being reported inaccurately.

Mr Deputy Speaker, I discussed this approach with you Mr Speaker on Friday and with the hon member for Woodspring and the hon member for North Devon. I also attempted to speak to the hon Member for North East Hampshire and the hon Member for Cannock Chase, without success although I have spoken to them both today.

However, steps were taken to keep the Information Commissioner fully informed and to alert the Association for Payment Clearing Services so that the banks could monitor the bank accounts listed in the database, to prevent unauthorised access.

The intelligence services were also informed and asked to assess whether this incident could lead to an increased threat to our personnel. Their view was, understandably, that the risk would depend on whether this information fell into the hands of extremists but that there was no indication that this had happened and of course, we are keeping this under constant review.

Letters have also been sent to all 3,700 whose bank details were included in the database and are now being sent to the 153,000 people who applied to join the Royal Navy, the Royal Marines or the Royal Air Force during the relevant periods. We have set up a free telephone help-line, an email address and an address for correspondence for use by anyone who is concerned about the implications of the data loss and wishes to seek further information.

Mr Deputy Speaker, as soon as the theft was reported, the Royal Navy began an internal investigation into the incident itself, which has now been completed. Steps are now being taken by the Navy to prevent a recurrence and the chain of command is considering appropriate action against the officer concerned.

An internal investigation is also underway by the MoD’s Head of Security into the wider security issues raised by the loss of this data. In the time available, this has established that, in addition to the laptop stolen on 9 January, 2 further laptops potentially containing similar data have been stolen.

A Royal Navy laptop similar to that stolen on 9 January was stolen from a car in Manchester in October 2006; and an Army recruiting laptop, containing details of around 500 individuals, was stolen from a Careers Office in Edinburgh in December 2005.

These incidents were reported at the time to the local police and to the chain of command, although neither theft was reported to Ministers. Those involved believed that the data was protected by encryption and so no steps were taken to inform those whose records were potentially at risk. This is now being done in the same manner as I have described for those affected by the most recent loss. Nor was the Information Commissioner informed but this has now been done. There is nothing to suggest that the earlier thefts have been exploited for criminal purposes or any other purpose, in the intervening period.

As I said, our internal investigation has identified weaknesses in the application of MoD security procedures to this database, which is managed by the Army Recruiting and Training Division on behalf of all three services.

In the time available it has not been possible to establish all of the facts, but it is clear that the database files were not encrypted, in breach of MoD procedures, and that there were shortcomings in security training and awareness among the relevant staff. Further, although the MoD was a full participant in the Cabinet Office-led review following the loss of data by HM Revenue and Customs, these thefts and the failure to comply with agreed MoD procedures in this particular system were not highlighted by those responsible for the system during the first phase of that review.

Following consultation with the Information Commissioner, I have invited Sir Edmund Burton to undertake a full investigation into how these weaknesses came about, including responsibility for any breach of security and accreditation procedures and to review the steps we have taken to prevent any recurrence.

Sir Edmund is Chairman of the Information Advisory Council and supports the Cabinet Office in the implementation of the Government’s Information Assurance Strategy. He is also a former Chairman of the Police Information Technology Organisation and former Commandant of the Royal Military College of Science.

Sir Edmund will work closely with colleagues in the Cabinet Office who have been reviewing procedures across government following the HMRC loss of data. His report will enable us to answer the questions which still need to be answered and the Information Commissioner has confirmed in particular that the review will be wide enough to address the questions he has raised including about why a database of this size was thought necessary for field recruitment staff.

It will also enable the chain of command to identify where responsibility lies and whether anyone needs to face action as a result. Sir Edmund’s full report will be made available to the Information Commissioner.

Mr Deputy Speaker, I take this theft of personal data extremely seriously. I am also keenly aware of the risks should the data have fallen into the wrong hands, although I emphasise that there is no evidence that it has done so.

As with all parts of Government, those who have dealings with the Armed Forces have a right to expect that their data will be properly protected.

I very much regret that this has not happened. I am determined that we should identify exactly what went wrong and learn lessons. This must never happen again and I will keep the House informed of the outcome of the various investigations to which I have referred.