Sensitive MoD information exposed through personal email accounts

The Ministry of Defence logged 151 security incidents in 2020, compared to 75 in 2019

Secret information belonging to the Britain's Ministry of Defence (MoD) was exposed to outside forces in multiple breaches last year after employees transferred files from secure networks to personal email accounts.

Sky News claims to have obtained heavily redacted defence documents, showing that the MoD's private sector contractors failed to protect secret military and defence data in 151 security incidents in 2020, and 75 in 2019.

All these incidents were filed with the MoD's Defence Industry Warning, Advice and Reporting Point (WARP).

In one security breach, reported in May 2020, data was sent to an 'unauthorised domain' in what appeared to be a phishing attack.

Other incidents saw data compromised due to misconfigured infrastructure, a potential breach of MoD-owned systems, and a breach of a perimeter fence at an unidentified location.

In one specific case, missile containers were made available for sale.

In a statement to Sky News, a spokesperson for the MoD said the Ministry takes the security of its systems, personnel, and establishments "very seriously" and constantly seeks to improve incident reporting.

However, the fact that military data was exposed to hostile states in security breaches is a major cause for concern. Adversaries continue to target politicians and defence officials, in attempts to steal sensitive information.

In August last year, Reuters reported that Russian hackers managed to obtain confidential trade deal documents from the personal email account of former cabinet minister Liam Fox, ahead of the 2019 election.

Fox's email account was accessed multiple times between 12th July 2019 and 2nd October 2019, according to the report.

Commenting on Sky News' findings, Tim Sadler, CEO and co-founder of security company Tessian, said: "People sending data to personal emails accounts is a much bigger problem than most organisations and institutions even realise. According to our data, employees send company sensitive information to personal email accounts 38x more often than their IT and security leaders expect.

"The problem is that data loss prevention has only been made more challenging since staff have been working remotely as employees send data to their personal accounts to print out or work on documents on home devices. While it might seem harmless, highly sensitive information in those emails now sits in an environment that is not secured by the company, leaving it vulnerable to cybercriminals.

"Today's reports are an important reminder to all companies to remind employees of data sharing policies and ensure there are procedures in place to prevent data loss caused by people sending emails home."

The report comes just before PM Boris Johnson is due to present a long-term Integrated Review of national security, defence, development and foreign policy to Parliament today.

The PM Office says the review 'will commit to a new, full spectrum approach to the UK's cyber capability' - driving investment in education, new partnerships with industry, and integration across intelligence and defence services.

Johnson said last week that the UK needs to advance its cyber capabilities, both to stay ahead of enemies and to ensure that threats from adversaries in cyber space are "thwarted at every turn".