Server with Top-Secret Data Stolen

An anonymous reader writes "Usually missing information stories are fairly low key; the loss of a few thousand student records is cause for concern for those involved, but hardly national security. This one is slightly different. The company Forensic Telecommunications Services has announced that a server containing 'thousands of top-secret mobile phone records and evidence from undercover terrorism and organized crime investigations' has been stolen. From the article: 'The company — whose clients include Scotland Yard and the Crown Prosecution Service — has assured the public that the server is security protected, and the breach will not compromise ongoing police operations. The information is made up of either old cases that have passed through the judicial process, or cases that are already in the judicial system and so subject to full disclosure to both defense and prosecution teams.'"

Re:Wrong Terminology

[daveschroeder]

Actually, that's incorrect.

Many nations have equivalent parallel classification schemes, including using the terminology "top secret". Long-standing agreements between various nations allow sharing of information in the same categories.

See here [archive.org] and here [wikipedia.org] for details.

If FTS is a contractor on terrorism investigations, it could very well be handling "top secret" data. The article refers to it as "top secret", but you're correct: it's not clear if "top secret" is merely being inappropriately applied here, or whether the information really could be technically "top secret".

It is (PowerPoint) quite routine [fas.org] for contractors to handle classified information in the US and UK.

Bizarre reporting

[mattr]

It seems most journalists are just mouthing the press releases over again. "Security Protected" is a talk-down-to-you phrase, "protected" means "secure" anyway, and it intentionally doesn't tell you anything about how it really is protected. The company with the break-in obviously wasn't using security sufficient to deter people targeting them - for a security analysis company not to use more expensive security commensurate with the value of their clients' info is not even mentioned. Something silly about outsourcing is mentioned in TFA but in not the press release of course because it was stolen from their premises. Impossible perhaps to deter a truly obsessed insider, but for TFA not even to talk about what that incredible "security protected" technology stuff is, is just dumb.

I think it would be in the company's best interest to say everything was encrypted with unbreakable algorithms, but perhaps they have rules about not disclosing anything and maybe they don't want to spread the idea that people should encrypt things, that would certainly put a damper on their business, wouldn't it. I'd understand if they don't want to say they have a cell phone tracker or phone home device in it, but as for trusting them when they say nothing is important on that server they stole sounds very strange. More likely someone knew what they were going for it sounds.

a different slant on Wrong Terminology....

[Anonymous Coward]

Other threads are quite correct to say that UK/US/Can etc have similar classifications, and that contractors routinely handle these (though note the lack of a US "Restricted")

When I started my career at a UK C+C Headquarters, we still had some old documents with the original UK top classification on, which was "MOST SECRET". They changed this during WW2 because the Yanks might read this as 'Almost Secret'.

All these classifications used to refer to Military Intelligence-type data. But come the end of the Cold War, the spooks grabbed any work they could to justify their budgets. Lots of this work was in non-military areas - even terrorism was originally non-military, but now lots of 'civilian' work has fallen to them. So I would not be surprised to find data on gangs, or porn barons classified as 'TOP SECRET'. Heck, I bet that Thames House South holds some papers on the current protest at Heathrow with TOP SECRET all over them.

Re:Protected how?

[Cheesey]

1. Cryptonomicon-style, with a big coil embedded in the door frame of the room where the server was stored (question is, would that even work, without using an MRI as the coil)

I don't think that would work, even in 1999 when Neal Stephenson wrote the book. Some data would be recoverable: disks are very hard to completely destroy. Encrypted filesystems are the right way to do it, with the key only kept in memory.

I don't know why Stephenson's characters didn't think of that idea, since they worked for a PGP-style data security company. Nor do I understand why the adversaries used Van Eck phreaking to spy on Randy's laptop rather than just install a hardware keylogger, or why an EMP can destroy a CPU but not a hard disk controller. But hey, at least the ending was better than The Diamond Age.

Re:Top secret public records?

[dmpyron]

I've handled TS and above at a number of contractors over the years. That said, "What happened to locks, keys, and trusted employees?". And how do you get a server out of the building? Stuff in down your pants? I've never worked anywhere where areas with classified information weren't surrounded by cameras. And access control. And lots of other means of tracking the comings and goings. There's more to this story than has been made public.

The lady doth protest too much, methinks. Something is rotten in the state of Denmark.

Either there really wasn't much to worry about or they are secretly passing rectangular pieces of firehardened clay out their anuses. And these guys are called a "security" firm!