[BreachExchange] Data on children of armed forces personnel exposed in breach

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Mon Jan 31 10:57:59 EST 2022


https://www.computerweekly.com/news/252512676/Data-on-children-of-armed-forces-personnel-exposed-in-breach

The personal data of 4,142 children and families of serving UK armed forces
personnel was exposed last year in a data breach at the Ministry of Defence
(MoD), one of seven personal data-related incidents reported to the
Information Commissioner’s Office (ICO) during the 2020-2021 reporting year.

The breach, which was revealed in the MoD’s Annual report and accounts
2020-21, related to children attending MoD Schools, and occurred after an
email address associated with MoD schools was compromised for a 72-hour
period in February 2021.

MoD schools provide education to the children of service personnel and
MoD-entitled civilians, contractors and fee payers posted overseas. The
facilities are predominantly focused on early years and primary education
and are located on military bases in Belgium, Brunei, Cyprus, the Falkland
Islands, Germany, Gibraltar, Italy and the Netherlands.

The service also provides educational support and guidance for the children
of service members attending local schools in allied states that do not
themselves host UK bases – such as Australia, Canada and the US – and
maintains the Queen Victoria boarding school in Dunblane in Scotland.

The MoD did not reveal in its report to which schools the incident was
linked, nor any further details of the breach, such as how it occurred,
whom may have accessed the data, and whether or not anybody actually did.
Computer Weekly approached the MoD for further comment, but the department
had not responded at the time of publication.

Other reportable incidents included a May 2020 breach in which the identity
and home addresses of 147 MoD personnel was accidentally emailed to
external organisations, including journalists; an incident that saw details
and images of an injured individual taken from an incident logbook posted
to social media; an incident in which court documents were incorrectly
redacted, exposing the data of five individuals involved in a legal case;
while in another court-related incident, an unredacted copy of criminal
allegations was incorrectly passed to the accused, revealing the identity
of the victim and witness statements.

The ICO was also notified of incidents including the posting of information
on cadets and adult volunteers posted in a closed social media group, and
the accidental posting of a member of public’s question to their MP to the
House of Commons website.

Non-notifiable breaches included 27 instances where inadequately protected
MoD devices or documents were lost on government premises, seven instances
where they were lost outside government premises, two insecure disposals of
inadequately protected documents, 479 incidents of unauthorised data
disclosure, and 37 classed as ‘other’.

All told, the MoD reported 552 non-notifiable incidents, up from 546 in the
year ending 31 March 2020.

Donal Blaney, founder of cyber ligitation practice Griffin Law, called on
the ICO to investigate thoroughly. “Our courageous soldiers, sailors and
air force personnel are willing to sacrifice their lives – often working
under cover and in extreme conditions – so we can live in safety and
freedom,” he said.

“The least the MoD could do is keep these brave heroes’ personal data safe
and secure. Instead, their identities, and potentially the safety of their
families and friends, have been put at risk by pen pushers.”

Tessian co-founder and CEO Tim Sadler added: “People are handling more data
than ever before, and with that comes the inevitability of human error.
Mistakes happen and, unfortunately, they can result in serious incidents
which compromise data security and privacy. For example, emails being sent
to the wrong person continue to be one of the leading causes of data
breaches today.

“Organisations, therefore, must have security measures in place to prevent
people’s mistakes before they turn into data breaches, and they must find
ways to support staff who have access to large amounts of valuable or
sensitive data to lower the risk of regulatory violations.

“It is critical that employees are given the training they need to make the
right cyber security decisions and that security teams have greater
visibility to respond quickly to incidents as and when they happen,” he
said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220131/7dd9b3a8/attachment.html>


More information about the BreachExchange mailing list