Ministry of Defence data exposed in security breaches

Redacted documents reveal record number of security breaches in 2020 originating from MoD’s private sector partners

Posted 16 March 2021 by Christine Horton

Ministry of Defence (MoD) data was exposed to hostile states when it was transferred from secure networks to personal email accounts, Sky News has learnt.

Pic: Sky News

Although documents obtained by Sky News were redacted to obscure the nature of the information, they reveal a record number of security breaches in 2020 originating from the MoD’s private sector partners.

The redacted documents show that a total of 151 incidents were filed with the MoD’s defence industry Warning, Advice and Reporting Point (WARP) in 2020, compared with just 75 in 2019.

“Every government contractor that processes MOD information is obliged to report security incidents to the Defence Industry WARP,” explains a new page on gov.uk published last month.

Although the substance and outcome of these incidents is obscured, many of the records in the documents obtained by Sky News are followed by multiple paragraphs of redacted explanation, including numerous incidents when information was sent to personal email accounts.

What were the breaches?

Sky News reports that the most extensive report, filed on 1 May 2020, runs several pages long and related to “data sent to unauthorised domain” – potentially indicating a phishing attack.

Two incidents in April were considered so sensitive that even the dates they occurred on were redacted.

Other incidents include potential compromises to MoD owned systems, a breach of a perimeter fence at an undisclosed location, infrastructure being misconfigured, and in one case missile containers being available for sale.

A spokesperson for the MoD said: “The MoD takes the security of its personnel, systems and establishments very seriously and continually seek to improve security incident reporting.

“We have recently introduced policy, processes and tools to make internal and external reporting easier and more efficient, and the increase in reports can be largely attributed to these improvements.”

A bigger problem than we realise

Commenting on the findings, Tim Sadler, CEO and co-founder of human layer security company said people sending data to personal emails accounts is a much bigger problem we realise.

“According to our data, employees send company sensitive information to personal email accounts 38x more often than their IT and security leaders expect,” he said.

“The problem is that data loss prevention has only been made more challenging since staff have been working remotely as employees send data to their personal accounts to print out or work on documents on home devices. While it might seem harmless, highly sensitive information in those emails now sits in an environment that is not secured by the company, leaving it vulnerable to cybercriminals.”

Sadler said the reports concerning the MoD “are an important reminder to remind employees of data sharing policies and ensure there are procedures in place to prevent data loss caused by people sending emails home.”

Sky News points out that the rising number of security incidents raises questions about the UK’s resilience to foreign espionage ahead of the government unveiling its Integrated Review today, which will set out the strategic direction of Britain’s defence and security apparatus.