What Enterprises Can Learn from the RAF Breach

The BBC reported last week that sensitive personal data concerning 500 Royal Air Force officers was on a hard drive lost last September. The personal data contains sensitive information that could expose officers to blackmail, according to reports.

The hard drive was lost from RAF Innsworth, an air force base that is now used as military office space for the Service Personnel and Veterans Agency (SPVA).

“The Royal Air Force data breach, along with the proliferation of data breaches in general, reinforces the need to have a strategy of defense in depth to secure sensitive data,” said Katie Curtin-Mestre, RSA director of product marketing in an e-mail to InternetNews.com.

Companies need to keep track of their data. “The first step is to classify sensitive data and discover where it is located throughout the infrastructure,” she said.

Employees need to understand the importance of the data that’s in their custody. “The next step is to leverage people, processes and technology to secure sensitive information. From a people and process point of view, education of the end-user community and IT teams in any organization plays a big role as do physical security controls,” Curtin-Mestre said. “On the technology front, products such as Data Loss Prevention and encryption of data at rest
+can
play a role in preventing data breaches as well,” she said.

Encryption is important, agreed Torsten George, vice president of worldwide marketing for ActivIdentity in an e-mail to InternetNews.com. “Only a two-pronged approach combining strong authentication with file and data encryption technology could have protected the data and prevented the thief from reading the hard drives from some computer,” he said.

Reacting well to a mistake

The RAF said it does not believe that data was lost. Instead, it believes that the hard drive was stolen for sale, a spokesperson for the UK Ministry of Defense (MOD) in an e-mail to InternetNews.com.

Nevertheless, the RAF has taken precautions. “We took immediate action through the RAF chain of command,” the MOD spokesperson said. “All individuals identified as being at risk received personal one-on-one interviews to alert them to the loss of data, to discuss potential threats and to provide them with advice on mitigating action. We placed information prominently on the MOD and RAF Web sites and activated an emergency helpline to assist personnel with their concerns.”

The MOD reiterated the necessity of asking sensitive personal questions during the security clearance process, known as “vetting” in the UK.

U.S. readers should not feel too smug. Recent reports show that federal investigators working for the Office of Personnel Management (OPM) fake reports because their workload was too heavy.

“It’s all a matter of incentives. The investigators were rewarded for completing investigations, not for doing them well, said security expert Bruce Schneier in his blog.