Getty Images/iStockphoto

MoD reports 18% rise in data loss incidents

The Ministry of Defence reported more than five hundred data security incidents in 2019-20, with seven serious enough to warrant disclosure to the ICO

The Ministry of Defence (MoD) recorded an 18% rise in personal data loss incidents in the 12 months to 31 March 2020, with 546 incidents during the period, and seven that were formally notified to the Information Commissioner’s Office (ICO).

The data, contained in the MoD’s annual report and analysed by the Parliament Street think tank, revealed that 454 of these incidents related to unauthorised disclosure of data, 49 to the loss of electronic equipment, devices or documents from within government premises, 19 to the loss of equipment, devices or documents from outside government premises, and one to the insecure disposal of paper documents.

The seven incidents notified to the ICO include the disclosure of personnel and health data on two former employees of the MoD after a sub-contractor incorrectly disposed of MoD-originated material; and the loss of criminal investigation files during the archiving process, which affected 16 people.

The department also reported the unauthorised access to and disclosure of mental health data to a third party, which is currently under investigation by the Royal Military Police under the Computer Misuse Act; and an incorrectly redacted whistleblowing report which disclosed personal identifiers and statements.

Parliament Street said the data raised “fresh questions” about the security risks facing public sector organisations in the UK, particularly of those that are themselves tasked with safeguarding the country’s national security posture.

Commenting on the data, Tessian CEO Tim Sadler said the volume of incidents reflected how easily simple incidents of human error could compromise data security and damage reputation.

“Mistakes are always going to happen, so as organisations give their staff more data to handle and make employees responsible for the safety of more sensitive information, they must find ways to better secure their people,” he said.

“Education on safe data practices is a good first step, but business leaders should consider how technology can provide another layer of protection and help people to make smarter security decisions to stop mistakes turning into breaches,” said Sadler.

In its annual report, which can be read in full here, the MoD said its cyber security risk was complex, evolving and escalating at pace, as a result of which it actively manages cyber risk through a dedicated team and “very high levels of vigilance and governance”.

In the period covered by the report, it established a new Directorate of Cyber Defence and Risk to enhance this work, unifying management and response activity under a single framework, which it said had significantly enhanced its understanding of the risk landscape. It said it had worked to implement new capabilities designed to ensure that its core IT and communications systems are better protected.

It has also been working across government and industry to strengthen the security of its supply chain and introduced an internal cyber security awareness campaign for staffers.

The MoD was approached for comment but had not responded at the time of writing.

Read more about data protection

  • Home Office claims data wiped from national police systems only relates to people who have never been convicted of a crime or had further police action taken against them following an arrest.
  • The Vaccination Credential Initiative is working to ensure that people vaccinated against Covid-19 can access their records in a secure, verifiable and privacy-preserving way.
  • An opinion from the European Court of Justice has the potential to lead to a flood of privacy complaints against Facebook if upheld.

Read more on Privacy and data protection