The Ministry of Defence has outlined a series of reforms introduced in response to the data breach involving the Afghan Relocations and Assistance Policy (ARAP), following a written question from Lord Alton of Liverpool.
Responding on 24 July, Defence Minister Lord Coaker stated: “The Ministry of Defence (MOD) has commissioned several audits at various times since the data protection incident relating to the Afghan Relocations and Assistance Policy to inform remediation plans. All recommendations from these audits have been accepted and are either complete or work-in-progress.”
He emphasised that “it is a key priority of this Government to reinforce data handling practices,” citing the introduction of a new casework management system within the Defence Afghan Relocation and Resettlement (DARR) team that “prioritises data protection.”
Lord Coaker said the DARR team had also completed “a comprehensive review on legacy data held within this casework management system and historic email accounts to ensure information is held at the right security classification and within the right location.” He added that “shared sites [are] locked down and proactively managed,” applying strict “need-to-know principles.”
He noted that a new senior civil servant Chief Information Officer was appointed to the DARR team in October 2024, “with responsibility for a larger and more skilled data and information management team.” That team has produced a data strategy “in line with the Government Digital Services’ data maturity assessment.”
Mandatory training across DARR has been enforced: “All current staff have completed it. Bespoke induction training includes security briefings and data protection training, and there are regular communications on protecting information and expected behaviours, including discussions at senior leadership level.”
Finally, Lord Coaker stated that the MOD is “continuously investing in our cybersecurity infrastructure to ensure we remain resilient against evolving threats,” and is working to build “a workforce that is confident, capable, and cyber secure.”
Alongside this, I read a report on BFBS that Regimental Associations are regularly listing names of personnel online who are posted away from the Regiment, including those serving with DSF.
The often used cover name for postings is regularly seen online, and is found on Linkedin as well.
So it’s not just the MoD.
Human error is unfortunately a problem in any organisation however the solution used to be to employ tech to spot and block any such errors. Most organisations have however eliminated those resources ironically in the name of saving money.
Stop using Excel as a database would be a start 🤦🏻♂️
Indeed – stuff of nightmares.
I learned that lesson, many years ago, when trying to buy a competitor.
Unfortunately, their sales team had downloaded the whole sales pipeline to Excel and sold it already. So the company had little real value.
So when we rebuilt our CRM it couldn’t be downloaded and used EAR etc with a highly granular level of permissions.
At least I *know* it complies with GDPR!
They should go back to paper files for important documents and they should not leave the building. The security services ran effectively for years with files and typists before computers were invented.
It is pretty obvious if you leave work with a heavily loaded 3.5t van.
Not so obvious when you leave work with a 128GB minority stick that has a similar amount of data on it!
I make it closer to 100 vans. 1 page of typed words may contain 2KB of data (double-spaced, single-side typing). 128GB could represent 64 million pages. At 5 grammes a page, that’s 320 tonnes, assuming no pictures and no data compression. At 95% compression you’d be better off using 18 wheelers, and you’d still need 130 of them. Crazy, right?
Just as well MOD laptops don’t download to USB sticks of any capacity.
USB ports used to be superglued with a dummy plug end inserted…..
Ah yes, the halcyon days of Burgess, Maclean and Philby. When we could rely on good eggs from the right universities. Both of them. When it took a mere few days to get classified orders to the front lines via an ambassador’s diplomatic briefcase and a cunningly hidden compartment in a Land Rover.
So let’s say I want to transmit ten Terabytes of highly classified submarine sonar data back to Blighty. Should I get my secretary to type it out, or do you think it would be okay to load it onto a stack of eight inch floppies and hand them to a trusted (Oxbridge) secret agent?
10TB of sonar data is an awful lot given it is acoustic data…..
I agree that encrypted comms is essential but the idea that anyone can download a whole data set to a laptop to manipulate it is just for jokers.
NI plod did that and put it on a website too.
In this case you could easily have build a database in a couple of days that had EAR and would send individual comms via a remote SMS or WhatsApp gateway that was fully granular. Heck you could built it in FileMaker in an afternoon if you wanted to…..that way there is some idea of security…..not perfect but probably good enough.
Transmitted data would be encrypted, we will never be safe after Blairs illegal wars unleashed terrorist factions in the middle east and now they come to the UK on small boats. Facial recognition cameras are now common at pop concerts and sporting events due to 40,000 individuals being assessed as a risk by MI5. Some 20,000 are classed as extremists, with unchecked people coming in this will rise.
It would be interesting to know when these reforms were introduced. The breach happened a few years ago but the then government and the mod moved to cover it up. Please say they didn’t also head in sand and not remediate the cause.