Reports are coming in that an unencrypted USB stick – apparently containing details on the Sellafield nuclear site’s operations – was found by a coach driver in a Cumbria hotel room.
And it seems that the USB stick contained details of the nuclear firm’s proposed workforce transfer from its Capenhurst operation in Cheshire to uranium specialist Urenco.one.
This fact alone is manna from heaven to enemies of the UK, especially since the data on the USB stick suggested that International Atomic Energy technicians visiting the site were not sufficiently up to speed.
While the convenience of USB sticks make them an important tool for any business, you don’t have to be a nuclear scientist to know that the data carried on these devices must be protected.
Corporate USB sticks should always include encryption and other forms of security as a basic requirement because – as this incident clearly shows – unencrypted data can, and does, fall into the wrong hands.
And in the case of Sellafield – the former Windscale nuclear material processing and handling site – he added that the data on the USB stick falls firmly into the kind of information which has national security implications, especially with the UK currently being on heightened terrorist alert.
The discovery of this data on a USB stick in a hotel room is the kind of plot that would do justice to a John Le Carre thriller novel, rather than real-life hotel in deepest Cumbria.
But here we have a coach driver making a discovery that has serious national security overtones. That technicians and other employees at Sellafield are using USB sticks to store and move sensitive data is not really a surprise in today’s world, but that there are not policies and procedures in place to encrypt or otherwise protect the data on those devices is a real concern.
As the coach driver is quoted as saying in the local press, what if the USB stick had fallen into the hands of terrorists, or contained top secret information?
Sellafield has done the right thing in launching an investigation, but this is a potentially serious breach of data security on several levels, with national security overtones. Sellafield needs to look very carefully at its data security policies, and the technology that enforces those policies.