Imperva says UK MoD manual leak caused by breakdown in security procedures

(PresseBox) ( Redwood Shores, CA, )
Whilst reports that a UK government document advising officials on how to keep documents from leaking to the Internet has actually leaked on the Web may sound amusing, the reality is a whole lot different, says Imperva, the data security specialist.

According to Amichai Shulman, Imperva's chief technology officer, the fact that the 2,400 page defence 'manual of security' was published on Wikileaks - a site designed for anonymous leaks of documents from governments - suggests that the leak was caused by a breakdown in IT security procedures.

"The document contains three volumes and together, they are listed as restricted. However, some sections are available to the general public - a simple Google search shows these results," he said.

"At first sight, given the above, we could assume that this may have been the result of the actions of single member of staff - someone with access to the CD itself, or perhaps the Ministry of Defence intranet," he added.

However, says Shulman, the document's datestamp is October 2001, so the MoD probably considers the file to be outdated.

The Imperva CTO went on to say that, perhaps the file was on its way to be digitally demolished, or left on some old misconfigured server and a Google search picked it up.

An additional scenario, says Shulman - and one that he has witnessed whilst working in the armed forces - is that a classified military contractor may have been given the documents and placed them on an internal network.

And then, he explained, the data may have leaked from the internal network to a public-facing server over a period of time.

The leakage of such a document - and the attendant publicity the incident has received - should, he says, serve as a wakeup call for organisations that, when sharing sensitive information with partners, they need to have adequate security in place at all times.

"While an organisation may have very tight internal controls regarding sensitive information, when this information is shared with business partners it is subject to whatever controls are applied by that partner," he said.

"This is, for example, why the PCI-DSS standard requires that PCI-related information from a PCI compliant organisation is only shared with other companies that can demonstrate compliance with the PCI standard," he added.

For more on the MoD manual of security leak:

For more on Imperva:
The publisher indicated in each case is solely responsible for the press releases above, the event or job offer displayed, and the image and sound material used (see company info when clicking on image/message title or company info right column). As a rule, the publisher is also the author of the press releases and the attached image, sound and information material.
The use of information published here for personal information and editorial processing is generally free of charge. Please clarify any copyright issues with the stated publisher before further use. In the event of publication, please send a specimen copy to