Government departments have published information online without properly removing potentially sensitive or secret data, according to reports on Sunday.
The Ministry of Defence accidentally published sensitive information on nuclear submarines. Photo credit: Chris Guy/Flickr
Sensitive information was published by the Ministry of Defence (MoD), Department of Health (DoH) and the Department for Communities and Local Government (DCLG) without being properly redacted, The Telegraph said in a report on Sunday. Redaction is the process of separating disclosable information from non-disclosable information in documents.
The slip was uncovered when the publication examined a sample set from thousands of documents published under Freedom of Information (FOI) requests, including one that revealed technical information about the Navy's nuclear submarines and what could cause a "catastrophic" meltdown in the on-board nuclear reactors, the report said.
Among the improperly edited information were Ministry of Defence documents detailing the names of officials working on a military submarine project. The MoD told ZDNet UK on Monday it had since removed the documents and replaced them with properly redacted versions.
"As soon as we were aware of this incident, we took immediate steps to ensure the document was removed from the public," a spokeswoman for the MoD said.
As a result of the oversight, the MoD said it is working to ensure that privileged information is not disclosed in future. "[The MoD] will check past FOI responses and review our processes for the release of sensitive information to prevent any recurrence of this type," the spokeswoman said.
The investigation also uncovered other instances of improperly redacted material. For example, a DoH document detailing a private meeting to discuss contaminated blood had the names of officials blacked out with a marker pen, leaving it legible if printed and held up to a light.
A spokeswoman for the department said in a statement that "the privacy of all individuals is paramount and we make every effort to ensure that names are taken out where appropriate".
The report also found that a DCLG document detailing commercial negotiations with a contractor had been saved in a non-secure format, allowing redactions to be reversed. That department is "taking steps to remedy the cases that have been highlighted" and will issue revised staff guidelines for the handling of sensitive information, a spokesperson told ZDNet UK on Monday.
Some of the documents uncovered in the report had information redacted by image editing software, such as Adobe Photoshop, which left the contents unreadable on screen until highlighted by selecting the text. Security company Sophos described the situation as a "school-boy error", as even someone with a limited knowledge of computers would likely be able to see the information that had been obscured, adding that more careful handling is required.
"[Obscuring sensitive information] needs to be done properly if you care about privacy and avoiding a potentially damaging data leak," Graham Cluley, senior technology consultant at Sophos, wrote on Monday. "Unfortunately, time and time again, we've seen sloppy security procedures make it far too easy for unauthorised parties to view information in electronic documents that should have been properly redacted."