The Ministry of Defence (MoD) recorded an 18% rise in personal data loss incidents in the 12 months to 31 March 2020, with 546 incidents during the period and seven that were formally notified to the Information Commissioner’s Office (ICO).
The data, contained in the MoD’s annual report and analyzed by the Parliament Street think tank, revealed that 454 of these incidents related to unauthorized disclosure of data, 49 to the loss of electronic equipment, devices, or documents from within government premises, 19 to the loss of equipment, appliances or documents from outside government premises, and one to the insecure disposal of paper documents.
The seven incidents notified to the ICO include the disclosure of personnel and health data on two former employees of the MoD after a sub-contractor incorrectly disposed of MoD-originated material; and the loss of criminal investigation files during the archiving process, which affected 16 people.
The department also reported the unauthorized access to and disclosure of mental health data to a third party, which is currently under investigation by the Royal Military Police under the Computer Misuse Act, and an incorrectly redacted whistleblowing report which disclosed personal identifiers and statements.
Parliament Street said the data raised “fresh questions” about the security risks facing public sector organizations in the UK, particularly of those that are themselves tasked with safeguarding the country’s national security posture.
Commenting on the data, Tessian CEO Tim Sadler said the volume of incidents reflected how easily simple human error incidents could compromise data security and damage reputation.
“Mistakes are always going to happen, so as organizations give their staff more data to handle and make employees responsible for the safety of more sensitive information, they must find ways to better secure their people,” he said.
“Education on safe data practices is a good first step, but business leaders should consider how technology can provide another layer of protection and help people to make smarter security decisions to stop mistakes turning into breaches,” said Sadler.
In its annual report, which can be read in full here, the MoD said its cyber security risk was complex, evolving, and escalating at pace, as a result of which it actively manages cyber risk through a dedicated team and “very high levels of vigilance and governance”.
In the period covered by the report, it established a new Directorate of Cyber Defence and Risk to enhance this work, unifying management and response activity under a single framework, which it said had significantly improved its understanding of the risk landscape. It said it had worked to implement new capabilities to ensure that its core IT and communications systems were better protected.
It has also been working across government and industry to strengthen the security of its supply chain and introduced an internal cyber security awareness campaign for staffers. The MoD was approached for comment but had not responded at the time of writing.