The personal data of 4,142 children and families of serving UK armed forces personnel was exposed last year in a data breach at the Ministry of Defence (MoD), one of seven personal data-related incidents reported to the Information Commissioner’s Office (ICO) during the 2020-2021 reporting year.
The breach, which was revealed in the MoD’s Annual report and accounts 2020-21, related to children attending MoD Schools, and occurred after an email address associated with MoD schools was compromised for a 72-hour period in February 2021.
MoD schools provide education to the children of service personnel and MoD-entitled civilians, contractors and fee payers posted overseas. The facilities are predominantly focused on early years and primary education and are located on military bases in Belgium, Brunei, Cyprus, the Falkland Islands, Germany, Gibraltar, Italy and the Netherlands.
The service also provides educational support and guidance for the children of service members attending local schools in allied states that do not themselves host UK bases – such as Australia, Canada and the US – and maintains the Queen Victoria boarding school in Dunblane in Scotland.
The MoD did not reveal in its report to which schools the incident was linked, nor any further details of the breach, such as how it occurred, whom may have accessed the data, and whether or not anybody actually did. Computer Weekly approached the MoD for further comment, but the department had not responded at the time of publication.
Other reportable incidents included a May 2020 breach in which the identity and home addresses of 147 MoD personnel was accidentally emailed to external organisations, including journalists; an incident that saw details and images of an injured individual taken from an incident logbook posted to social media; an incident in which court documents were incorrectly redacted, exposing the data of five individuals involved in a legal case; while in another court-related incident, an unredacted copy of criminal allegations was incorrectly passed to the accused, revealing the identity of the victim and witness statements.
The ICO was also notified of incidents including the posting of information on cadets and adult volunteers posted in a closed social media group, and the accidental posting of a member of public’s question to their MP to the House of Commons website.
Non-notifiable breaches included 27 instances where inadequately protected MoD devices or documents were lost on government premises, seven instances where they were lost outside government premises, two insecure disposals of inadequately protected documents, 479 incidents of unauthorised data disclosure, and 37 classed as ‘other’.
All told, the MoD reported 552 non-notifiable incidents, up from 546 in the year ending 31 March 2020.
Donal Blaney, founder of cyber ligitation practice Griffin Law, called on the ICO to investigate thoroughly. “Our courageous soldiers, sailors and air force personnel are willing to sacrifice their lives – often working under cover and in extreme conditions – so we can live in safety and freedom,” he said.
“The least the MoD could do is keep these brave heroes’ personal data safe and secure. Instead, their identities, and potentially the safety of their families and friends, have been put at risk by pen pushers.”
Tessian co-founder and CEO Tim Sadler added: “People are handling more data than ever before, and with that comes the inevitability of human error. Mistakes happen and, unfortunately, they can result in serious incidents which compromise data security and privacy. For example, emails being sent to the wrong person continue to be one of the leading causes of data breaches today.
“Organisations, therefore, must have security measures in place to prevent people’s mistakes before they turn into data breaches, and they must find ways to support staff who have access to large amounts of valuable or sensitive data to lower the risk of regulatory violations.
“It is critical that employees are given the training they need to make the right cyber security decisions and that security teams have greater visibility to respond quickly to incidents as and when they happen,” he said.