back to article UK Special Forces soldiers' personal data was floating around WhatsApp in a leaked Army spreadsheet

An astonishing data security blunder saw the personal data of Special Forces soldiers circulating around WhatsApp in a leaked British Army spreadsheet. The document, seen by The Register, contained details of all 1,182 British soldiers recently promoted from corporal to sergeant – including those in sensitive units such as the …

  1. trevorde Silver badge

    Even worse than leaving an unencrypted USB stick on a train :-(

    1. Paul Hovnanian Silver badge

      "leaving an unencrypted USB stick on a train"

      On purpose or by accident?

      On this side of the pond, we had personnel data on security clearances go missing often enough that I became convinced that some subcontractor was taking kickbacks for periodically misplacing it. That the British Army data ended up on WhatsaApp makes me think it was just ideologically motivated. Foreign intelligence usually does't post the stuff that they capture.

      1. Yet Another Anonymous coward Silver badge

        I thought the Army was the reference case for not attributing to malice that which is adequately explained by stupidity

        1. Alumoi Silver badge

          No, that's Intelligence. Military Intelligence is the best definition of oxymoron ever invented.

          1. cyberdemon Silver badge
            Headmaster

            Example != Definition

            "Military Intelligence" is the best example of an oxymoron ever invented.

            1. Anonymous Coward
              Anonymous Coward

              Re: Example != Definition

              We pay people to do jobs

              We dont pay people to think

              I think thats the problem, not much thinking being done, no profits you see

            2. the Jim bloke
              Unhappy

              Re: Example != Definition

              Military Intelligence is a specific thing, seized upon by self styled "wits" and mocked to make themselves appear clever and daring.

              Other examples of true oxymorons would be "political integrity" or "business ethics"

              Like other oxymorons, these combinations of words mean something antithetical to the definitions of their components - and I am not mocking, I am mourning...

        2. amanfromMars 1 Silver badge

          A Blood Red Line Only the Thickest of Fools' Tools would Cross and Defile to Deserve No Mercy.

          If one had has any idea or direct knowledge at all about what Elite Special Forces do, and can do for and to y'all too, you'd best hope that it is stupidity rather than malicious intent that has brought you to their undivided attention or vice versa, your shenanigans to their Sterling Stirling Business ....... and Raison d'Être for Existence in Exercise of Extremely Prejudicial Covert and/or Clandestine Operations ........ which in most cases be successful tours of a patriotic patriarchal psychotic duty to extremes of self-indulgent excellence and rectifying fortitude.

        3. Joe W Silver badge

          Left hand and right hand

          Here we have a saying about one hand not knowing what the other hand does.

          My army experience tells me, that the right hand does not know of the existence of the left hand.

          In my current job: The (supposedly) brain forces both hands to actively ignore each others' existence.

    2. JimboSmith

      Even worse than leaving an unencrypted USB stick on a train :-(

      Far worse and a really dumb thing to do. Even if they'd password protected the spreadsheet everyone (so potentially 80k people) would have to use the same password. So the chances of that one password leaking to somebody unauthorized are far higher.

      My current company requires you to use an encrypted memory stick for moving anything around even if there are no personal details. If there are, then you need to encrypt the spreadsheet etc. as well.

      1. Terry 6 Silver badge

        Yes, even schools these days have ( or are supposed to) those levels of security over kids' details. But the F*ing security services.

        1. Version 1.0 Silver badge
          Joke

          Special Forces personnel are trained to delete people, not data, the PFY is not going to get a job with the military.

          1. amanfromMars 1 Silver badge
            Alien

            Much prized, but understandably, seldom lauded or admitted via any claim of responsibility

            Special Forces personnel are trained to delete people, not data, the PFY is not going to get a job with the military. .... Version 1.0

            Traditional and conventional Special Forces personnel are certainly trained to delete people, Version 1.0, however, to not think, and to fail to realise Great Games have moved on and up a number of tiers to completely new levels of absurd complexity and astute ACTive engagement with more than just one trick circus ponies to pacify the crowds now vulnerable to the reign of clouds, and miss the fact that the Special Forces of Tomorrow Today are an entirely different breed of exceptional being, has one nicely permanently rendered at a convenient disadvantage to them, and at their mercy, should one's own choice of malevolent actions cause them to choose to rectify matters.

            And some are able to be deadly effective whenever only equipped with pyjamas ...... https://youtu.be/LcgG_E9gQJM?t=54 ..... for there are any number of Elite Keyboard Warriors comfortably embedded in their midsts and enjoying the mutually advantageous security and protection each gives the other in the exercise of each of their many particular and peculiar skillsets.

            Do you find that pleasantly comforting or extremely troubling? And would the latter be because of your enthusiasm for a number of extremely troubling actions or even the sharing of thoughts to incite such actions?

      2. thondwe

        MS provide the tools to secure files using Azure AD/365 accounts - but of course that's $$$$ and resources to manage... Also, there's the question of whether this is an official MOD WhatsApp business account - assuming such a thing exists and adds some level of control, a personal account using a work phone or worse still a personal phone...

        CARELESS

    3. Chris G

      What is worse is the fact that the British Army decided to embrace Whatsapp at all, nothing of internal workings should be on a public facing service and particularly a service that belongs to a renowned data scraper.

      1. Cuddles

        What makes you think the Army have anything to do with Whatsapp? The article says the leaked document is being sent to other people using Whatsapp. That's equivalent to saying it's being shared using email - it has nothing to do with how it was originally accessed or how it was leaked. Indeed, it's rather odd to see El Reg using phrases like "available to download on Whatsapp", given that there is no such thing as being available to download on Whatsapp. If someone sends you a message with an attachment, you can view that attachment, just as you could if someone emailed it to you. You can't go wandering around Whatsapp looking for things to download.

        The actual news here is that the army appear to have really shitty privacy procedures involving confidential documents being available to tens of thousands of people with essentially no security or access control, making leaks inevitable. The details of which messaging services have been used by various people to share a document after it has been leaked is of no interest whatsoever.

        1. Cliffwilliams44 Silver badge

          Whether malice or stupidity this is similar to the Manning incident in the US military I would guess. Some lower rank individual with access to information they probably shouldn't. Most likely because some higher ranked individual does not want to have to deal with it.

        2. Chris G

          @cuddles

          Perhaps you missed this

          https://www.theregister.com/2020/03/18/army_adopts_whatsapp_orders_coronavirus/

          Considering the above link ,I would think the messaging service used to dump what should be at least restricted information on the internet is of great interest.

        3. teknopaul

          available for download

          Text like that I'd highly suspicious, UK. gov mandate certain news articles be written, when and sometimes text to include.

          A false flag op, or a cover up ;)

  2. Potemkine! Silver badge

    sharing newly promoted people’s personal details in a spreadsheet accessible by the entire 80,000-strong British Army was routine

    What a great idea. Especially in GPRD times.

    Those involved can apply to win this trophy.

    1. Piro Silver badge

      Yep, fantastic

      That's what I thought, too. They don't seem to understand how amazingly unacceptable that is.

      "Usually we just allow anyone in the armed forces to look at very sensitive data regarding all personnel, with an Excel password, on the intranet".

      This is bizarre and utterly insecure. I don't think I've ever worked at even the most amateurish of companies that just flat out had a list of everyone's details in an Excel spreadsheet with full access to all on the intranet.

    2. EnviableOne

      Unfortunatley there is a MIlitary purpposes exemption from GDPR

  3. Flywheel
    FAIL

    "Who is General Fskup" ?

    .. and what's he doing on my computer?!

    1. MutantAlgorithm

      Re: "Who is General Fskup" ?

      He's waiting for a report from Major Incident

      1. Anonymous Coward
        Anonymous Coward

        Re: "Who is General Fskup" ?

        If he doesn't hurry up he'll be getting a visit from Corporal Punishment.

        1. Christoph

          Re: "Who is General Fskup" ?

          He might get a boot in the Private Parts

          1. 7teven 4ect

            Re: "Who is General Fskup" ?

            He's covered by Admiral Insurance so no prob.

    2. wjake

      Re: "Who is General Fskup" ?

      Corrupting your spreadsheet, resulting in a visit from Colonel Panic...

      1. Anonymous Coward
        Anonymous Coward

        Re: "Who is General Fskup" ?

        Sounds like General Protection Fault was involved to me...

  4. Anonymous Coward
    Anonymous Coward

    Well that's going to be a tea, no biscuits meeting if ever I've seen one.

  5. Anonymous Coward
    Anonymous Coward

    I'm Spartacus !

  6. wolfetone Silver badge
    Holmes

    Ah, so they are capable of naming soldiers then.

  7. Dave 15

    Several thoughts

    Once upon a time the army had a separate network which would have avoided this, I guess a bean counter thought they would save the mod money by having its personnel killed off instead of paying pensions.

    Second there is no reason on earth why the whole army needs to see every promotion in the army so the decision to publish it was stupid, probably driven by some left wing political correctness bull shit

    1. Yet Another Anonymous coward Silver badge

      Re: Several thoughts

      > some left wing political correctness bull shit

      Yes it's definitely the fault of the Eu, BBC, Obama and the LSE

      1. Sodditall

        Re: Several thoughts

        and those pesky left-wing nurses and doctors.

        1. Anonymous Coward
          Anonymous Coward

          Re: Several thoughts

          and some mealy mouthed namby pamby liberal Sergeants Major.

          1. WolfFan

            Re: Several thoughts

            Oh, my. All Sgt Mjrs are polite, reserved, quiet, laid-back, surfer dudes. All of them. They would never let a word which could be considered impolite pass their lips. To suggest otherwise is just wrong. You’ll receive the Ultimate Punishment: you’ll be sent to bed without your supper.

      2. 7teven 4ect

        Re: Several thoughts

        Because nothing is ever the fault of some unscrupulous incompetent right-wing chancers?

        1. teamonster

          Re: Several thoughts

          I'm wondering how much of the ills of Britain in general can be laid at the feet of these people.

          Back in the 90's I wound up on a training scheme run by the government. Several of us on the same course decided to get together and compare notes. To our surprise, we found that several of us had different course documentation, even though we were supposed to be on the same course. We touched base with our 'trainer', who spent all day in his office and we only saw when he was either entering or leaving the premises. We were told 'sorry, but some of you got the wrong course documents.' Barely a shrug that we could have failed the course when we arrived at the final and it was for a different discipline than what we were studying. We taught each other and prevailed, but it was all our own doing.

          I have found similar amounts of care and attention at other businesses I have worked for - many of them large international companies. I wonder continuously how our history would have been different if these ass hats - who seem to be everywhere - had not muddled up just about everything they touch.

          1. yetanotheraoc Silver badge

            Re: Several thoughts

            "I wonder continuously how our history would have been different if these ass hats - who seem to be everywhere - had not muddled up just about everything they touch."

            The first law of business is scarcity. Capital is scarce, raw materials are scarce, talent is scarce. Not only is there no money to hire the best workers, there is no money to hire the best managers. There is barely enough money to pay for the (a priori) best CEO. (Just kidding.) The ass hats do not just seem to be everywhere -- they *are* everywhere.

            The sad thing about this is that the MoD, both yours and ours, is supposed to be well aware of this scarcity. The MoD's over-arching talent is *supposed* to be creating robust systems which allow for sub-optimal talent to be plugged into various tasks and still accomplish an acceptable quality of work. Big systemic fail here.

            1. Terry 6 Silver badge

              Re: Several thoughts

              To many things missing from that.

              There's the Peter Principle

              Dunning-Kruger

              A class system that emphasises knowing (or being) the "right people" over meritocracy*

              And above all, the products of the above making bloody sure that no one more competent than themselves gets a chance to be in charge or, God forbid, change things.

              *A bit of research into the background and career of Toby Young will tell you all you need to know (not Wikipaedia - which says almost nothing). This will do as a starting point- though I'm no lover of the Guardian.

              https://www.theguardian.com/education/shortcuts/2019/mar/13/us-admissions-scandal-oxbridge

    2. Wellyboot Silver badge

      Re: Several thoughts

      It's not PC BS, British Army officer promotions and awards have been published in the London Gazette* since the mid 17th C. Publishing NCO promotions is just more of the same.

      The problem here is linking current operational postings to all the other details and not filtering out the UKSF.

      *Along with a wide array of other information, it was 'the' official UK publication pre internet, and even now it's still very useful.

      1. Yet Another Anonymous coward Silver badge

        Re: Several thoughts

        It is for example vital information should you ever need to find the first name of a baby found in a handbag

        1. Martin
          Happy

          Re: Several thoughts

          <appalled voice>

          A handbag?

          </appalled voice>

      2. EnviableOne

        Re: Several thoughts

        The London Gazette is the UK official record, published by HMSO

        Its still where bills are published,

        where company formations and sanctions are published,

        Its online only now https://www.thegazette.co.uk/

  8. Anonymous Coward
    Anonymous Coward

    Whoever is resonsible

    for this security breach should be jailed, they have potentially put people's lives at risk. It's more than a ticking off offence.

    1. Wellyboot Silver badge
      Facepalm

      Re: Whoever is resonsible

      After putting a large number of SF types & by implication their families at risk I'd really not want to be found and would take solitary in a foreign prison under an assumed name in a hearbeat for this.

      1. seven of five

        Re: Whoever is resonsible

        Well, getting people out of such places is part of their job, so no point in going there in first place.

  9. keithpeter Silver badge
    Windows

    Issue new service numbers?

    And credit those new numbers with accrued service to ensure pension entitlements &c?

    This one needs proper mitigation methinks, not a subscription to a credit reporting agency.

    1. Yet Another Anonymous coward Silver badge

      Re: Issue new service numbers?

      I'm assuming that because of German Tank Problem you wouldn't give troops sequential numbers

      So you could issue all soldiers with multiple serial numbers to confuse a statistically advanced enemy.

      1. Ken Moorhouse Silver badge

        Re: German Tank Problem

        Good link!

      2. khjohansen

        Re: Issue new service numbers?

        [german accent] Non-sequential *serial numbers*!!?? In-conceivable! [/german accent]

  10. Ken Moorhouse Silver badge

    The question is...

    Who or what is in column E?

    (That's the Fifth Column btw).

  11. Stu J
    FAIL

    Fuckssake

    :facepalm:

  12. Anonymous Coward
    Joke

    At least it was sorted in the right order this time!

    https://www.theregister.com/2020/08/07/army_promotion_excel_snafu/

    1. 7teven 4ect

      Re: At least it was sorted in the right order this time!

      Just saw your username? Did you study maths at B'ham uni?

  13. Grey_Kiwi

    Quite apart from the Special Forces issue, I'd be quite worried about the specialisations being displayed.

    Knowing that SGT Smith is, e.g., a Networks specialist working in a formation of interest would probably make her or him of considerable interest to certain Foreign Intelligence Services, either immediately or at least work keeping an eye on to see where they go next.

    This is both an OPSEC and an INFOSEC breach of pretty monumental proportions.

  14. Richard 12 Silver badge
    WTF?

    Wrong priorities there

    “The leak of this information to media outlets is being investigated by the MoD and it would be inappropriate to comment further at this time.”

    So if it had only gone to foreign agents who wish to do harm to the UK, that would have been ok?

    It's only worth investigating how the media found out that all this highly sensitive personal data has been handed to anyone interested?

    1. Anonymous Coward
      Anonymous Coward

      Re: Wrong priorities there

      Yes, foreign spies wouldn't publicly embarass the government.

  15. Persona Silver badge

    Plus side?

    Handy for anyone wanting to build a good mercenary army.

  16. Christoph

    "the practice of sharing newly promoted people’s personal details in a spreadsheet accessible by the entire 80,000-strong British Army was routine"

    A secret that is shared among 80,000 people is not a secret.

    1. Anonymous Coward
      Anonymous Coward

      The invasion of Normandy was shared among twice that many.

      1. Cynic_999

        No, the most important details of the invasion were not known to many people until very close to the time - at which point the majority who knew were being held incommunicado until D-day. In addition, there was a lot of deliberate false information "leaked" so that should the real plans be leaked the enemy would hopefully not know what information to take seriously.

        It's one thing to know that a large invasion will take place some time in the next 3 months, but quite another to know the exact time & place where it will happen.

        1. EnviableOne

          infact that actually happened the germans managed to get hold of the plans for D-Day, from a planner killed during exercises in preperation on the north devon coast (washed up in the bay of biscay) but rejected them as too complex, instead believing that the attack would come over the pais de calais

  17. Anonymous Coward
    Anonymous Coward

    #goodolddays

    Would never have happened in the MOD late 80's 'airgap' LANs and put 'Apricot removable HDD in locked cabinet' when heading for silver service lunch in the Officers mess.

  18. TheProf

    The Name's Public, James Public

    Anything to do with Bond moving over to another 'employer'?

  19. Anonymous Coward
    Anonymous Coward

    This is not very reassuring

  20. teamonster
    FAIL

    Just imagine being a so-called 'security professional' and being called on the carpet for having the same level of competency as Dido Harding. Ouch!

  21. davidp231
    Facepalm

    Cooler...

    three veeks.

  22. Arty Effem

    "Take that man's name, sergeant!" x 1182

  23. AkodoGilador
    FAIL

    GPMS is obsolete. The GSCP only has OFFICIAL, SECRET and TOP SECRET.

  24. Anonymous Coward
    Anonymous Coward

    Quick solution.

    Publish multiple lists with false data. It may sow doubt as to the validity of the original.

  25. Aussie Doc
    Thumb Down

    Wow

    Firstly, I really hope that nobody from the SF and family suffer from this stupidity.

    Secondly, "Usually we just allow anyone in the armed forces to look at very sensitive data regarding all personnel, with an Excel password, on the intranet".

    Somebody actually said that and that's all right then??? Is that MILSPEAK for "your data is important to us..." etc etc

    Finally, and this is really sarcy/Godwin's Law stuff but...

    <Clears throat>

    "Not the first time some Corporal stuffed up and caused us a few headaches."

    <Now rolls eyes>

    But, seriously, I hope nobody gets seriously hurt by this and I don't mean some Captain's feelings.

  26. TimMaher Silver badge
    Flame

    “a corporal working as a clerk”

    Bet they are not on next years list.

    Maybe they felt they should have been on this one?

    Bitterness.

  27. Anonymous Coward
    Anonymous Coward

    Many years ago, a guy in the SAS said that every time his family moved home, the IRA would send a letter to his wife, along the lines of "We still know where you live. We can get you at any time".

  28. Augie

    Wow..

    beadwindow much.....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like