The UK's Ministry of Defense (MOD) is conducting a review of information security policies in response to a serious data breach that transpired earlier this month. A laptop that was stolen from the car of a military recruitment officer contained information about approximately 600,000 people, most of whom were prospective recruits. The database stored on the laptop was not encrypted—a significant violation of MOD data handling policies.

The records, the earliest of which date back to 1997, primarily consisted of names and basic contact information, but more sensitive data—such as passport information, National Health Service numbers, medical details, and drivers' license numbers—were included for 153,000 individuals. Financial and banking information of approximately 3,700 people was also stored on the laptop.

The theft has compelled defense secretary Des Browne to launch extensive policy reviews and appoint a Data Protection Officer who will be responsible for evaluating MOD information security practices on an ongoing basis. Browne believes that the failure to use encryption is primarily the result of inadequate training.

"Our internal investigation has identified weaknesses in the application of MOD security procedures to this database, which is managed by the Army Recruiting and Training Division on behalf of all three services," said Browne in a statement made to the House of Commons. "In the time available it has not been possible to establish all of the facts, but it is clear that the database files were not encrypted, in breach of MOD procedures, and that there were shortcomings in security training and awareness among the relevant staff."

As we have seen many times in the past, even the strictest policies aren't always effective at combating these kinds of data breaches. The frequency with which these situations occur indicates a very clear need to reevaluate the manner in which data is stored, transported, and retained. The impact of data breaches could be minimized if data retention policies are established mandating disposal of information that is no longer actively used.

"It is not clear to me why recruiting officers routinely carry with them information on such a large number of people or why the database retains this information at all," Browne commented. "As with all parts of Government, those who have dealings with the Armed Forces have a right to expect that their data will be properly protected."

In the past decade, the UK has rapidly transformed into a surveillance society with pervasive camera monitoring, plans for a broad national ID card program, the largest citizen DNA database in the world, and increasingly common mandatory biometric information collection in schools without parental consent—trends that have drawn criticism from UK security officials and the European Court of Human Rights. As the UK grapples with the implications of collecting massive amounts of personal information about citizens, leaders must consider the serious risks of potential data breaches.