Computer theft exposes security shortfalls at AWE

Categories: 
Letter extract

The theft of two computers from the Atomic Weapons Establishment (AWE) in 2015 has exposed “poor asset management” and “failings” in authorisation processes, according to the results of a Ministry of Defence (MoD) investigation.

The two computers - one HP laptop and one HP desktop computer – were removed from the AWE Aldermaston site by an information technology (IT) contractor working at the site, who failed to go through the correct channels to request permission to take the computers home.  The computers were kept at his home for a number of months and their loss was not reported by AWE to MoD until January 2015.

A former AWE contractor, Graham Heaysman, pleaded guilty to theft of the computers and was fined £250 at Guildford Magistrates Court in August 2015.

At the time AWE claimed that there was no security risk associated with the incident, stating that: “AWE can confirm that a former contractor was charged earlier this year with two counts of theft of company assets.

“A plea of guilty was submitted to the court on August 4. AWE is committed to upholding and maintaining the highest standards in relation to the security and confidentiality of company information.

“It would be inappropriate to comment on the circumstances of this case any further.”

However, information obtained by Nuclear Information Service under the Freedom of Information Act reveals a different story.  Following the incident the matter was reported to the MoD Defence Equipment and Support Principal Security Advisor and to the Ministry of Defence Police, and two internal investigations were conducted.

A letter dated 13 March 2015 from Andy MacKinder, Head of Strategic Weapons Project Team (SWPT) at MoD, to Kevin Bilger, then Managing Director of AWE states that the findings of an independent MoD investigation into the incident had highlighted “poor asset management of AWE IT equipment” and “failings in the authorisation process for the removal of IT Equipment from site”.  Details of further shortfalls have been redacted from the letter on security grounds.

Mr Mackinder writes that he “would like to understand what has been done to ensure that an incident such as this cannot happen again”, and requests that “no future IT contracts (for non-consumables) will be let without SWPT prior approval” until improvements had been put in place.  A meeting to discuss measures for managing AWE's IT assets was scheduled to take place one month later.

The contract between MoD and the AWE consortium for operating AWE sites specifies that “Information and Assets at the AWE sites must be protected”, and  AWE is responsible for immediately notifying the Strategic Weapons Security Authority of any reported loss of material or information classified 'secret' or above.

Download a copy of correspondence relating to the incident here:

Add new comment