Server with Top-Secret Data Stolen

An anonymous reader writes "Usually missing information stories are fairly low key; the loss of a few thousand student records is cause for concern for those involved, but hardly national security. This one is slightly different. The company Forensic Telecommunications Services has announced that a server containing 'thousands of top-secret mobile phone records and evidence from undercover terrorism and organized crime investigations' has been stolen. From the article: 'The company — whose clients include Scotland Yard and the Crown Prosecution Service — has assured the public that the server is security protected, and the breach will not compromise ongoing police operations. The information is made up of either old cases that have passed through the judicial process, or cases that are already in the judicial system and so subject to full disclosure to both defense and prosecution teams.'"

Just FYI...

[daveschroeder (516195)]

...Forensic Telecommunications Services [forensicts.co.uk] is a UK company, not a US company, so please keep that in mind when crafting your comments.

(And yes, this is fairly plainly obvious to anyone who takes a moment to look.)

Re:Just FYI...

[Control Group (105494)]

But the British government has been in bed with the US government for years, which means they pretty much do whatever the US tells them to, which means they're pretty much just a US colony, which means that this loss is obviously attributable to FBI negligence, which is clearly linked to the PATRIOT Act, which means that it's the sole responsibility of the current administration - and we all know how Karl Rove likes to publicize secret information; this loss is obviously why he's resigning - which means that George W. Bush wants criminals to go free, so he can further consolidate his power and declare himself interim president for life!!!

CAN'T YOU SEE, MAN? IT'S THE END OF FREEDOM!

Re:

[bryan1945 (301828)]

You missed FEMA, Hurricane Katrina, and the Red Sox winning the World Series. And maybe crab people, but they could just be communists.

Re:

[cHiphead (17854)]

Oh and ONE MORE! Van Halen just got back together. With David Lee Roth.

END!

Cheers.

Okay, here's what we've got

[spun (1352)]

The Rand Corporation, in conjunction with the saucer people, under the supervision of the reverse vampires, are forcing George W. Bush to go to bed early in a fiendish plot to eliminate the meal of dinner.

We're through the looking glass, people

Does it matter?

[Opportunist (166417)]

Do you think that something like this cannot happen anywhere else?

Re:

[ArsenneLupin (766289)]

The Forensic Telecommunications Services [forensicts.co.uk] website is an ASP site. Please keep that in mind before browsing this site from work or in the presence of young children...

Isn't it obvious?

[thatskinnyguy (1129515)]

I blame the intern! [techdirt.com]

hahah

[liquidpele (663430)]

I can see it now...

*ring*
Hello, is this my contact? Do you have the money?
...
*recording* This is an important announcement, you are paying too much for car insurance!

Top secret public records?

[mmarlett (520340)]

Which is it: Top secret phone records or information that has already been released in court cases? It doesn't seem like the two are the same.

Re:Top secret public records?

[yog (19073)]

I don't get it. What happened to locks, keys, and trusted employees? It seems like companies and government organizations are constantly leaving sensitive materials in cars or in unsecured locations where they can be stolen by opportunistic thieves. After thousands of years of civilization, and with all the fancy technology at our disposal today, have we learned nothing about how to keep important materials out of mischievous hands?

A server with sensitive information should not be on the public internet, and it should not be on the premises of a subcontractor! It should be safe behind locked doors with access only by a select few, and protected by strong encryption too. I just don't get it; it's kind of depressing.

Re:

[dmpyron (1069290)]

I've handled TS and above at a number of contractors over the years. That said, "What happened to locks, keys, and trusted employees?". And how do you get a server out of the building? Stuff in down your pants? I've never worked anywhere where areas with classified information weren't surrounded by cameras. And access control. And lots of other means of tracking the comings and goings. There's more to this story than has been made public.

The lady doth protest too much, methinks. Something is rotten

Re:

[Frosty Piss (770223)]

The information is made up of either old cases that have passed through the judicial process, or cases that are already in the judicial system and so subject to full disclosure to both defense and prosecution teams

Mybe they meant "proprietary" instead of "Top Secret". Clearly it isn't "Top Secret".

I could sure trust them

[faloi (738831)]

Except that their physical security is apparently so poor that I can't imagine their data security is much better.

"All the data is protected, as long as the thieves don't look at the password sticker hidden inside the case."

More likely.

[AltGrendel (175092)]

They simply forgot to activate the alarm system when they went home.

Never attribute to malice what can be explained by stupidity.

Re:

[Greyfox (87712)]

They probably mean "password-protected". We all know how easy THAT is to get around. These guys don't sound clueful enough to actually encrypt their data (Though if any of them are reading this and want to correct me, please go ahead...)

Good thing I didn't have anything to hide,

[MrMr (219533)]

from the Russian mafia.

Wrong Terminology

[stewbacca (1033764)]

"Top Secret" is a term reserved for government classification schemes (in the US) and is clearly outlined by US laws. Using "Top Secret" for a business is just sensationalism. This business lost sensitive data, not "Top Secret" data.

Re:

[daveschroeder (516195)]

Actually, that's incorrect.

Many nations have equivalent parallel classification schemes, including using the terminology "top secret". Long-standing agreements between various nations allow sharing of information in the same categories.

See here [archive.org] and here [wikipedia.org] for details.

If FTS is a contractor on terrorism investigations, it could very well be handling "top secret" data. The article refers to it as "top secret", but you're correct: it's not clear if "top secret" is merely being inappropriately applied here, or wh

Re:Wrong Terminology

[stewbacca (1033764)]

I was a contractor that handled real Top Secret data and that term is reserved for government classified data only. Contractor's own stuff is neither Top Secret, nor protected under the provisions provided to government Top Secret data. My point is that there are too many stories from JoeBlow, Inc. that report "Top Secret" information being stolen just to sensationalize the story. To working professionals in the Intel field, the notion that Top Secret data was stolen is a national security crisis, only to read in the story that some stupid company lost some data with private information in it.

True, that many countries share classification terminology. England, Canada, U.S. and Australia, for example, have all worked to synchronize their terms and laws. But the common thread is that these are all covered by government classification guidelines, not the private sector.

I suppose the info in the story could be "Top Secret" in the true sense of the word, but if this company was a contractor handling real Top Secret (ie, government classified) data, it would be a much bigger story than something buried in slashdot ;-)

Re:

[jrumney (197329)]

it would be a much bigger story than something buried in slashdot ;-)

It was front page news in several UK papers over the weekend.

Re:

[stewbacca (1033764)]

A week ago I would have known (I just moved back to the States from the UK) ;-) Stupid narrow world-view of the US!

Re:

[Frosty Piss (770223)]

Contractor's own stuff is neither Top Secret, nor protected under the provisions provided to government Top Secret data.

In the USA at least, contractors handle actual honest-to-god the real deal "Top Secret" all the time. In fact, most of our government's "Top Secret" programs are run exclusivly by contractors.

Re:

[stewbacca (1033764)]

True, all of what you said (except contractors are not the majority of classified handlers, especially in compartmentalized intel). I was a contractor and I handled classified all day long. My point is that companies are TOLD by government classification guidelines what is "Top Secret" and don't just make up their own classifications because they work with government classified data. Even if contractors CREATE the data, the company doesn't classify the content they created, the government does. I've sai

Re:

[cyphercell (843398)]

So, you don't think the Crown Prosecution Service or Scotland Yard would have "Top Secret" data? Seriously, the information stolen was evidence and phone numbers, how likely do you think it is that the phone numbers coincided with the evidence? Sorry, but I think the use of "Top Secret" is completely applicable in this case.

Re:

[daveschroeder (516195)]

I'm aware of how classified data works, and when and how the terms are used. You said that the term top secret "reserved for government classification schemes (in the US) and is clearly outlined by US laws". If you were simply speaking from a US-centric standpoint, and not to mean that the term wasn't used elsewhere, my apologies; my point was that the term "top secret" is used by several other nations, including the UK. Your statement about how this was codified in the US was confusing since the company in

Re:

[fotbr (855184)]

Are you sure of that? Companies like Lockheed Martin, Boeing, General Electric, General Dynamics, etc all handle government secrets (and top secrets) as part of their defense contracts -- usually as parts of products they're building, but more and more intelligence analysis is being contracted out as well. I'd be surprised if British defense contractors didn't do much the same.

Re:Wrong Terminology

[stewbacca (1033764)]

Contractors working with US classified documents are bound to the same rules and regulation as government employees when handling classified data. My point is that companies can't just make up their own classification of something being "Top Secret". Boeing doesn't have the right to make something they created "Top Secret" just because Boeing thinks it is Top Secret. Only the government classification authority can designate a classification of: Unclassified, Confidential, Secret, or Top Secret. Anything else would be internal corporate policy, but any naming convention Boeing comes up with on their own is NOT provided the same protections under US Law that real government classifications are. (I may sound like a broken record, but I used to teach this stuff to government employees).

Re:

[stewbacca (1033764)]

"Company name proprietary" is appropriate. What my gripe is, (in the US, at least) is that companies mark business data as "Top Secret", which is strictly reserved and regulated by US law, when the company just means "company proprietary" or "company sensitive" data. It is just an irritating sense of inflated self-importance that gets under my skin, is all.

Detailed Cell Phone Bill

[sjaguar (763407)]

Do this mean that I will finally be able to see a detailed listing of my wife's calls? :)

Re:

[tehcyder (746570)]

Do this mean that I will finally be able to see a detailed listing of my wife's calls? :)

It's OK, I recorded them all from my end.

Re:

[Belacgod (1103921)]

Should have signed up for the Iphone, then you'd get 52 pages! [slashdot.org]

Private company?????

[by Anonymous Coward]

Shouldn't someone explain wtf does top secret policial information in the hands of a corporation? Such information should be gathered, kept and custodied by police.

Re:

[pthor1231 (885423)]

Just because information has a certain classification doesn't mean anyone other than "police" is going to have it. In the US, and I would imagine a fairly similar situation in the UK, quite often contractors will have access to various levels of classified information for their particular project. Chances are though this is not technically "Top Secret" classified information, and just some sensationalist media, as a few other posters have noted.

Re:

[Fallon (33975)]

Top Secret data is in the hands of lots of military contractors. If you handle TS data you have to comply with lots of REALLY overkill security measures. Secret classified data must be kept on SIPR net, which is a huge worldwide network massively encrypted and not connected to the Internet. TS is even more secure.

This was a Physical Break in

[varmittang (849469)]

"FTS can confirm that the company was recently the victim of a break-in at one of our premises in Kent. As a result, some IT equipment including a server was stolen."

Very important info for all those who want to start a flame war about what OS it was running and why it was connected to the Internet.

Spooks, Spooks, Spooks

[WED Fan (911325)]

Wasn't this an episode of "Spooks" [bbc.co.uk] ("MI:5" [bbcamerica.com] in America)

Spooks Brain? "Brain and Brain, what is Brain?"

ORLY?

[slobarnuts (666254)]

In any case, the immediate disclosure and swift action taken by the FTS following the breach is yet another positive indication that organisations are beginning to take data protection seriously."

Really? Because the fact that this happened in the first place seems to indicate otherwise. This just sounds like Damage control.

Protected how?

[hcdejong (561314)]

1. Cryptonomicon-style, with a big coil embedded in the door frame of the room where the server was stored (question is, would that even work, without using an MRI as the coil)
2. with a brick of thermite on a proximity detonator inserted into the case
3. boring ol' cryptography

Re:

[Fallon (33975)]

We actually have a case of thermite grenades sitting in our TCF (where all our communications gear & servers sit). Of course there's also the thousand odd soldiers with M16s around that you have to get through first. Sitting in downtown Kabul Afghanistan and needing all that physical security does make me a bit nervous at times though.

Re:

[Svartalf (2997)]

Nothing like the flash demil process on computer gear. And yeah, I'd be a bit uneasy about needing that level of security, but with where that comm gear (and you) is at, I wouldn't have it any other way really.

Re:

[bryan1945 (301828)]

"1. Cryptonomicon-style"

I so just jumped to "Necronomicon-style" when I read that. Chin-sucking whirlpool books would probably be rather effective ("Army of Darkness" for you heathens that don't understand that).

Re:

[Cheesey (70139)]

1. Cryptonomicon-style, with a big coil embedded in the door frame of the room where the server was stored (question is, would that even work, without using an MRI as the coil)

I don't think that would work, even in 1999 when Neal Stephenson wrote the book. Some data would be recoverable: disks are very hard to completely destroy. Encrypted filesystems are the right way to do it, with the key only kept in memory.

I don't know why Stephenson's characters didn't think of that idea, since they worked for a PGP-s

Well-protected?

[winchester (265873)]

If their physical security is this bad, one wonders how much value should be placed in the statement that the data on the server is "adequately protected".

Moreover, this should spark the debate whether it is okay that private companies work on this sort of data, and whether the government should or should not have its own data specialists.

Re:

[Belacgod (1103921)]

I'd argue that government wouldn't be any better at it. Plus, you could never fire the people responsible--at least here the company's going to lose a lot of business.

Bizarre reporting

[mattr (78516)]

It seems most journalists are just mouthing the press releases over again. "Security Protected" is a talk-down-to-you phrase, "protected" means "secure" anyway, and it intentionally doesn't tell you anything about how it really is protected. The company with the break-in obviously wasn't using security sufficient to deter people targeting them - for a security analysis company not to use more expensive security commensurate with the value of their clients' info is not even mentioned. Something silly about outsourcing is mentioned in TFA but in not the press release of course because it was stolen from their premises. Impossible perhaps to deter a truly obsessed insider, but for TFA not even to talk about what that incredible "security protected" technology stuff is, is just dumb.

I think it would be in the company's best interest to say everything was encrypted with unbreakable algorithms, but perhaps they have rules about not disclosing anything and maybe they don't want to spread the idea that people should encrypt things, that would certainly put a damper on their business, wouldn't it. I'd understand if they don't want to say they have a cell phone tracker or phone home device in it, but as for trusting them when they say nothing is important on that server they stole sounds very strange. More likely someone knew what they were going for it sounds.

Laptops, always, desktops, yes, servers - ?

[caluml (551744)]

Well, I always use encrypted partitions for equipment that could be stolen - laptops, or my home PC - but I wouldn't consider it for servers.
This makes you think though.

live by the sword, die by the sword...

[3seas (184403)]

invasion of privacy is a very pervasive thing once you start it up....

Re:

[Detritus (11846)]

How many companies have real physical security? By that I mean trained security officers with guns, on duty 24/7/365. Most companies are vulnerable to theft, even of large items like servers. once everyone leaves for the day or weekend.

Re:

[Anonymous Brave Guy (457657)]

How many companies have real physical security? By that I mean trained security officers with guns, on duty 24/7/365.

Well, I'm guessing the answer to that specific question in the UK is basically none, given that in general civilians having firearms is illegal and all...

However, I would imagine that businesses working in certain sensitive industries are used to working with the police, and employ a combination of defensive measures and some rapid call-out arrangement to protect themselves. Given that we don't see banks being robbed all the time, it appears that full-time, gun-carrying staff (are scary black outfits an