The Ministry of Defence (MoD) has been left red-faced after it emerged that an administrative error led to the accidental leak of a secret Nato document detailing ongoing military exercises.
The document, marked “NATO restricted” on every one of its 192 pages, was emailed to fishing and ferry operators at the end of March, according to the Herald.
It apparently contains long lists of email addresses, phone numbers and the location of military facilities as well as technical details related to the exercises including aircraft target areas, code decryption tables, authentication protocols and radio jamming information.
Also listed in the doc are dozens of code words, call signs and map co-ordinates, according to the report.
The exercises in question are Griffin Strike 16, taking place in the south-west of England and Wales, and Joint Warrior 161 in Scotland.
The latter is a major bi-annual event currently running from 11-23 April and comprises “a program of exercises conducted by land forces, warships, submarines and aircraft across the UK,” according to the MoD.
The ministry admitted the error, which occurred when it was meant to send a missive on how fishing vessels and ferries may be affected by the live drills.
However, a spokesman sought to play down the potential impact of the accidental leak.
“A communications issue around the Joint Warrior and Griffin Strike exercises was identified and appropriate measures have been taken. There is no impact to the public, military personnel or units participating in the exercise,” he told the Glasgow paper.
Mimecast director of security product management, Steven Malone, argued that even the most security-sensitive organisations can fall victim to a data leak thanks to end user error.
“Employees rarely share confidential or secret information on purpose but need more help to avoid potentially damaging mistakes,” he told Infosecurity.
“Data loss prevention technology is mature and absolutely vital for highly sensitive data, but it must be considered a last resort backup. Employee awareness and understanding of security is the most critical control.”
This isn’t the first time the MoD has been found wanting when it comes to cybersecurity.
Over a four-year period leading up to 2009, the ministry reported the theft of over 650 laptops, including on one occasion the key used to encrypt data on the machine.
Then in 2012 a database containing employee emails and passwords was hacked and dumped online by hacktivists NullCrew, after they managed to exploit a basic SQL injection vulnerability.
SOURCE: Phil Muncaster