Exclusive An astonishing data security blunder saw the personal data of Special Forces soldiers circulating around WhatsApp in a leaked British Army spreadsheet.
The document, seen by The Register, contained details of all 1,182 British soldiers recently promoted from corporal to sergeant – including those in sensitive units such as the Special Air Service, Special Boat Service and the Special Reconnaissance Regiment.
Special Forces soldiers’ identities are supposed to be protected from public disclosure in case terrorists target them or their families. Yet yesterday an Excel file was freely being passed around on WhatsApp groups after being leaked from inside the Ministry of Defence.
The spreadsheet detailed personnel posted to 18 Signals Regiment, the SAS and SBS' communications experts, and their specialisms
The document, which appeared to have last been modified late yesterday morning by a corporal working as a clerk for one unit's Regimental Career Management Officer (RCMO), was available for download on WhatsApp with no password protection or government protective markings such as “confidential” or “secret”.
To help protect UK Special Forces soldiers’ identities, whenever they enter the public eye they are always referred to by the MoD as serving with their former unit. So a paratrooper from that regiment’s 2nd Battalion who joins the SAS and is later decorated at Buckingham Palace for secretly smiting the Queen’s enemies is always named publicly as “Trooper Bloggs, 2 PARA”.
Yet the spreadsheet busted this convention by linking soldiers’ former and current units together, under separate headings of “capbadge” and “unit.”
Worst of all, as well as naming newly promoted senior non-commissioned officers, the spreadsheet disclosed their unique service numbers. These can be cross-referenced against public records to enable service histories to be traced – potentially outing former SF personnel years after they retire.
The spreadsheet’s only nod to privacy was a one-line warning that said: “NOT TO BE DISCLOSED BEFORE 0900 HOURS UK LOCAL 03 JUN 21.” Ironically, it appeared to have originated from a secretive Royal Marines unit.
A former Army source told The Register the practice of sharing newly promoted people’s personal details in a spreadsheet accessible by the entire 80,000-strong British Army was routine, but said: “Normally this is passworded and kept on the intranet.”
- British Army adopts WhatsApp for formal orders as coronavirus isolation kicks in
- MoD: Our networks are in 'unacceptable' state and both data and IT bods are stuck in silos
- US Army develops natural-language voice-command AI for robots, tanks, etc. For search'n'rescue. For now
- Prince Philip, inadvertent father of the Computer Misuse Act, dies aged 99
Details of soldiers posted to non-sensitive units were also viewable in the spreadsheet, which covered the entire Army: all units from the Army Air Corps to the Royal Welsh Fusiliers.
An Army spokesperson told The Register: “We are aware that the Corporal to Sergeant Promotion Board results have been obtained by some media outlets. The results of this Board are not due for release internally in MOD until 3rd June.”
He added: “The leak of this information to media outlets is being investigated by the MoD and it would be inappropriate to comment further at this time.” ®