Does your organization’s staff ignore policy on handling sensitive data? Don’t worry: So do those who work for the Royal Canadian Navy.
According to news reports Rear Admiral John Newton, who commands Maritime forces in the Atlantic, told reporters Tuesday a civilian Web designer working at the navy’s intelligence base in Halifax improperly stored copies of more than 1,000 secret documents, But, he added, it was a mistake that did not pose a threat to military intelligence.
“We do not fear that there was a threat to the material that was uploaded to a unclassified network,” Newton was quoted in the Toronto Sun by Canadian Press as saying after taking part in a dockside ceremony for a frigate leaving on a six-month, NATO-led mission in the Mediterranean.
“We’ve looked at … the work of the person involved and it’s an issue of imprudence in handling material, but it’s nothing more nefarious than that.”
The report said military police discovered the designer allegedly used Defence Department networks to improperly store secret files dated between 2004 and 2009. According to a search warrant seen by reporters military police seized four hard drives, a laptop computer, some CDs and floppy disks from the suspect’s office in September following a complaint about a possible security breach.
It is alleged the person copied the documents from a secure network for Web pages, but apparently instead of keeping them there put them on a less secure network.
No charges have been laid, and it isn’t clear if an investigation is still ongoing. News reports said the suspect’s network accounts have been frozen and he has been barred from entering the building where he once worked.
The incident comes after Sub-Lt. Jeffrey Paul Delisle, who also worked at the navy intelligence facility, was sentenced to 20 years in prison for copying secret computer files and selling them to Russia.
Although the admiral’s statement suggests the navy views this latest incident as an error rather than a deliberate attempt at theft or manipulation of documents, it’s another reminder that insiders pose a tremendous risk to enterprises — and that CISOs have to do more than approve policies for document control.
In this case admiral Newton said security measures introduced after Delisle was caught helped the military detect the Web designer’s activity, but not early enough for a considerable amount of documents to have been mishandled.