UK Special Forces soldiers' personal data was floating around WhatsApp in a leaked Army spreadsheet

Bizarre promotion practice leads to near-inevitable breach

Exclusive An astonishing data security blunder saw the personal data of Special Forces soldiers circulating around WhatsApp in a leaked British Army spreadsheet.

The document, seen by The Register, contained details of all 1,182 British soldiers recently promoted from corporal to sergeant – including those in sensitive units such as the Special Air Service, Special Boat Service and the Special Reconnaissance Regiment.

Special Forces soldiers’ identities are supposed to be protected from public disclosure in case terrorists target them or their families. Yet yesterday an Excel file was freely being passed around on WhatsApp groups after being leaked from inside the Ministry of Defence.

The spreadsheet detailed personnel posted to 18 Signals Regiment, the SAS and SBS' communications experts, and their specialisms

The spreadsheet detailed personnel posted to 18 Signals Regiment, the SAS and SBS' communications experts, and their specialisms

The document, which appeared to have last been modified late yesterday morning by a corporal working as a clerk for one unit's Regimental Career Management Officer (RCMO), was available for download on WhatsApp with no password protection or government protective markings such as “confidential” or “secret”.

To help protect UK Special Forces soldiers’ identities, whenever they enter the public eye they are always referred to by the MoD as serving with their former unit. So a paratrooper from that regiment’s 2nd Battalion who joins the SAS and is later decorated at Buckingham Palace for secretly smiting the Queen’s enemies is always named publicly as “Trooper Bloggs, 2 PARA”.

Yet the spreadsheet busted this convention by linking soldiers’ former and current units together, under separate headings of “capbadge” and “unit.”


The leaked spreadsheet included details of non-special forces units as well

Worst of all, as well as naming newly promoted senior non-commissioned officers, the spreadsheet disclosed their unique service numbers. These can be cross-referenced against public records to enable service histories to be traced – potentially outing former SF personnel years after they retire.

The spreadsheet’s only nod to privacy was a one-line warning that said: “NOT TO BE DISCLOSED BEFORE 0900 HOURS UK LOCAL 03 JUN 21.” Ironically, it appeared to have originated from a secretive Royal Marines unit.

Royal Marines Poole is the base of the Special Boat Service

Royal Marines Poole is the base of the Special Boat Service

A former Army source told The Register the practice of sharing newly promoted people’s personal details in a spreadsheet accessible by the entire 80,000-strong British Army was routine, but said: “Normally this is passworded and kept on the intranet.”

Details of soldiers posted to non-sensitive units were also viewable in the spreadsheet, which covered the entire Army: all units from the Army Air Corps to the Royal Welsh Fusiliers.

An Army spokesperson told The Register: “We are aware that the Corporal to Sergeant Promotion Board results have been obtained by some media outlets. The results of this Board are not due for release internally in MOD until 3rd June.”

He added: “The leak of this information to media outlets is being investigated by the MoD and it would be inappropriate to comment further at this time.” ®

Similar topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022