The Ministry of Defence faces an investigation by the Information Commissioner after the disappearance of a computer hard drive containing details of Armed Forces personnel and thousands of potential recruits.

Richard Thomas, the commissioner, will decide what steps to take after the MoD has completed its own inquiry. The removable hard drive was supposed to have been stored in a secure room with only limited access to personnel with special pass codes.

The MoD contacted the commissioner after EDS, the company responsible for protecting the confidential data, failed to find the hard drive during an audit ordered by the Cabinet Office. “There have to be adequate safeguards in place when protecting confidential data,” the commissioner's spokeswoman said.

Officials at EDS, the world's second-biggest computer company, said it was possible that the hard drive had been taken home by an employee or moved to another part of the company's office in Hook, Hampshire.

MoD officials said that the hard drive was linked to the training administration and financial management information system (Tafmis) that contained personal details of up to 100,000 Service personnel and 600,000 applicants.

The same computer system was breached in January when five laptops vanished. Then the MoD indicated that only about 0.5 per cent of the 600,000 potential recruits had supplied confidential details such as bank account and passport numbers. The rest had provided only their names, addresses and contact numbers.

Details relating to the 100,000 serving members of the Armed Forces include bank and driving licence information, next-of- kin addresses and dates of birth.

MoD officials said ministers were furious at the loss, although EDS said there was no evidence that security had been breached at its Hook office.

It is embarrassing for ministers because, after the revelation about the missing laptops in January, the MoD asked Sir Edmund Burton, a retired general, to carry out an investigation. He discovered that 55 Tafmis laptops containing Royal Navy and RAF recruiting data had not been encrypted as required. The MoD accepted his recommendations for tighter security.

In July it was revealed that 747 MoD laptops and 121 computer memory sticks had been lost or stolen in the past four years. Last month three computer hard drives containing personal records of serving and former RAF staff were stolen from RAF Innsworth, Gloucestershire.

Yesterday it emerged that a laptop containing data on 100,000 pensioners was stolen last month. The computer, which contained names, national insurance numbers and income, was in a handbag snatched from an employee of the accounting firm Deloitte.

------------------------------------------------------------------------------------------------------------------------------------------------------

The personal data of millions of people is at risk because Britain has no national gatekeeper for computer security research, one of the country's most senior experts in the field says (Mark Henderson writes).

Professor John Pethica, chief scientific adviser to the National Physical Laboratory, says that whereas other countries, including America and Germany, ask independent state laboratories to draw up open security standards for government information technology, Britain has no such body. He is asking ministers to commission the NPL to devise security protocols.

Government agencies must instead rely on secret standards produced by the intelligence services or private companies. These are considered less trustworthy by IT experts, as they are confidential and thus cannot be examined for weaknesses.

Professor Pethica is asking ministers to commission the NPL to devise security protocols, which would cost the Government no more than £3 million a year.

While such standards would not guard against the loss of discs and memory sticks through human error, they could do much to minimise the impact of such events, he said.

It would be possible, for example, to ensure that sensitive data is stored in segregated fashion, so that a single lost disc would contain no information that could be used to commit fraud.

Names might be stored in one system, addresses in another, and details of benefit in a third. Each chunk of information would have to be matched up by an authorised user to reveal anything significant about an individual: on its own, it would be useless.

“If you look at databases, the bigger they get, the more valuable they get,” Professor Pethica said. “But there is also a greater risk of losing important information. These data need to be separated and segregated. If you have a distributed database, it’s not possible for someone to have all the data at once.”

Explore UK News

• Crime News

• Education News

• Health News

• Science News

• Scotland News

Times Recommends

• Catalogue of failings ‘leaves others at risk’
• Tourists told to stay away amid Venice floods
• Google generation has no need for rote learning