Ministry of Defence under fire over 18 per cent rise in data breaches

In total there were 546 reported incidents of potential data breaches in the most recent financial year, up from 463 in the previous year, 2018/19.

In addition to these figures, seven incidents were so serious they have been reported to the Information Commissioner’s Office (ICO) for further investigation.

The data, contained in the MoD recently published annual report and analysed by the Parliament Street think tank, raises fresh questions about security risks facing public sector organisations.

There were 49 reports classified under “loss of inadequately protected electronic equipment, devices or paper documents from secured government premises”, in the most recent financial year, with an additional 19 incidents reported from outside of government premises. There were also 454 incidents logged under the general category of ‘unauthorised disclosure’.

The most serious seven incidents were reported to the ICO and the MoD Security Incident Reporting Scheme (MSIRS) for further analysis. In July 2019, a sub-contractor incorrectly disposed of MoD originated material, leading to unauthorised disclosure of the personnel and health data of two former employees. Meanwhile, in December 2019, criminal investigation files were lost during an archiving process, potentially putting 16 people at risk.

In February 2020, a recorded delivery package containing the claim for forms of five individuals was lost in transit between two stations, containing personnel and health data. Additionally, in March 2020, a whistleblowing report that had not been properly anonymised was issued on the subject of the report. Although the document was deleted 32 hours after issue, it put the personal security of at least nine individuals at risk.

Cybersecurity expert Tim Sadler, CEO, Tessian, said, “Time and time again we see how simple incidents of human error can compromise data security and damage reputation. The thing is that mistakes are always going to happen. So, as organisations give their staff more data to handle and make employees responsible for the safety of more sensitive information, they must find ways to better secure their people.

Mr Sadler added: “Education on safe data practices is a good first step, but business leaders should consider how technology can provide another layer of protection and help people to make smarter security decisions, in order to stop mistakes turning into breaches.”