Last week, the British Security Service and Secret Intelligence Services, better known as MI5 and MI6, showed exactly how expensive information security procedures really can be. Discussions abound of breach notification costs, fines for lack of compliance, or medical record leaks, but rarely do you hear that lives were jeopardized due to a failure in information privacy. Details unveiled last week show MI6 scrapped a 2006 undercover drug raid operation in Columbia for fear that a lost USB stick may have fallen into the wrong hands. The memory stick contained information on dozens of agents and informants, requiring relocation of most of the affected individuals.
The scheduled drug raid was a joint operation with MI5, MI6, the US Drug Enforcement Agency and organized by the Serious Organized Crime Agency. SOCA received £416 million in funding for 2006 (about $625 million), but did not release how much of that budget went for the covert operation. An internal source claimed to The Times – London that the aborted operation cost over £100m ($150M). The agent responsible for the loss, referred to only as ‘T’, lost her purse somewhere between the airline terminal, the immigrations checkpoint and a bus from El Dorado airport in Bogota, Columbia. She was heading to her new office at the British Embassy.
A Soca spokeswoman said: “Soca has introduced its own clearly defined data handling and security policies. During the year to March 2009 — the first year we have been required to report any breaches — there wasn’t a single breach of personal or sensitive data by Soca staff.”
The agencies took the first steps by defining data handling policies and measuring/reporting against them. An inquiry and formal investigation into the event occurred, and remedies put in place appear to be working. The obvious question – why was encryption not used for this sort of situation?
The secure computer on a USB key was developed for just this sort of cloak and dagger thing. There are encryption routines built into every commercial operating system available today. Dozens of security vendors sell encryption software, ranging from Full Disk Encryption, to mobile device encryption, to file level and storage encryption. The US National Security Agency helped Microsoft with Windows Vista. They designed a security enhanced version of Linux. The British Intelligence folks have their hands in a few secured systems as well.
Encryption ought to be just another wicket in the engrained security processes of an intelligence operation. In fact, encryption ought to be a requirement for every organization that processes private or mission critical information. Security product provider Checkpoint points out the dire situtation best in a February 2009 UK survey: “…less than 50% of the UK public and private sector organisations use any form of data encryption.”
As a privacy professional, knowledge of information security and its ramifications to privacy are paramount to successful data protection. Personally Identifiable Information, Private Health Records, Personal Financial Information – it’s all only as confidential as the protections surrounding it. If the security provisions do not guarantee the data are available and the integrity’s intact, there could be more than fines or company reputation at stake.