The UK’s Ministry of Defence (MoD) has selected Australian cyber scaleup Castlepoint Systems to run its data environment and prevent breaches, with its artificial intelligence (AI) technology providing oversight of complex datasets and safeguarding them from accidental or intentional leakage.
The appointment marks Castlepoint’s first foray into British government work, and comes in the wake of a major data breach at the MoD’s Afghan Relocations and Assistance Policy (Arap) scheme, which affected thousands of Afghan asylum applicants.
Developed and iterated over the past 13 years, Castlepoint’s platform deploys proprietary explainable AI to manage structured and unstructured data, enable automated records management, discovery, privacy, security, and ensure regulatory compliance. This is accomplished as an overlay, which means users should not need to change their existing systems or undertake complex integration exercises.
The firm already has significant experience working with government bodies in Canberra under Australia’s highly regarded data regulatory regime, and is targeting UK business as it seeks a global footprint. As such, it has recently set up its first London headquarters. In its home markets, meanwhile, its tools already manage almost 300 million records in over 1.6 million separate systems, and have identified over a quarter of a billion sensitive and high-risk records across its customer base over the years.
“Securing this contract with the Ministry of Defence as our first UK account is a key milestone for Castlepoint, underscoring the critical importance of sophisticated data control for any organisation, not just national security,” said Castlepoint CEO Rachael Greaves.
“The MoD faces a complex challenge in managing vast and sensitive datasets in the knowledge that even a single case of data leak or loss can be catastrophic. I’m pleased that after undertaking a very thorough global search, Castlepoint was selected by MoD as the best solution to solve this problem.”
The problem: Human errors ruin human lives
The Arap incident began in 2022 after a dataset was leaked containing details of over 18,000 asylum applicants from individuals who had worked with or for UK forces in Afghanistan and were at risk of reprisals from the resurgent Taliban. It resulted in a cover-up, the creation of a secret relocation scheme, and a three-year superinjunction against the British press that prevented the blunder from reaching wider attention until this summer.
Securing this contract with the Ministry of Defence as our first UK account is a key milestone for Castlepoint, underscoring the critical importance of sophisticated data control for any organisation, not just national security Rachael Greaves, Castlepoint
The spreadsheet at the centre of the breach was leaked in error by an MoD staffer who thought they were sending the details of about 150 asylum applicants outside of authorised government systems, unaware that the file in question was much larger and contained much more data than it appeared. A small portion of this spreadsheet later appeared online.
Recent history is littered with similar incidents that have arisen as a result of data mismanagement. In Australia, for example, the multi-year scandal surrounding Vivian Alvarez Solon, who was found on the streets of the city of Lismore, New South Wales, in 2001, drunk and in extreme mental distress, provides another highly relevant example.
In this case, what followed was a series of mistaken assumptions and data handling errors that resulted in the Australian government deporting one of its own citizens. Presumed to be a human trafficking victim, Solon was sent back to the Philippines, the country of her birth, where she languished in a charity hospice.
In reality, Solon had married an Australian citizen in 1984, moved to the country legally, and became a naturalised citizen two years later, but on their own, the authorities never connected the dots that would have established this.
Solon’s story does have a happy ending. Following a relentless investigative campaign led by her by-then ex-husband, she returned to Australia in 2005 and was later awarded a multimillion-dollar compensation package.
“There’s dispossession, there’s deportation, there’s all kinds of things that can go wrong when you mismanage information, and government in particular is the custodian of that information for individuals who have no other control or autonomy over that data,” said Greaves.
“It’s unethical and it’s unreasonable and it’s unlawful to not protect that information properly. That doesn’t just mean protecting it from threat actors, although we’re not doing the best job at that, but it also means making sure that it’s available when it’s needed and can be used properly and is correct.
“If you don’t get those things right, it’s vulnerable people who bear the cost,” she told Computer Weekly.
The solution: Explainable AI
Castlepoint’s AI-powered data labelling technology is specifically designed to prevent mistakes like this by automatically identifying the contents of datasets and applying the correct security classifications to them. Essentially, said Greaves, it stops data being “missed” by humans who, through no real fault of their own, are simply not capable of getting to grips with the vast datasets governments hold.
She conceived the idea for Castlepoint’s tech when, working as a data auditor at a government client in Canberra, she found an “egregious” data error that could have resulted in danger to life.
Castlepoint reads every word and every item, every document, email, database, chat, message, ticket, web page, attachment or zip file. We can then do the job a human would do if they had the time and the highlighters Rachael Greaves, Castlepoint
Greaves reported this error but was told that because she only found one, it probably wasn’t that big a deal.
“I thought, ‘Well, no, there’s so many more because I know the process that put that there, but I’m just a human and I can’t go and read every single file’. Then I thought, ‘Well, what if I could?’,” she said.
Greaves built Castlepoint from this starting point with co-founder and chief technology officer Gavin McKay
“Castlepoint reads,” she explained. “It reads every word and every item, every document, email, database, chat, message, ticket, web page, attachment or zip file. Whatever it is, if there’s an item and it has words in it, we’ll crack it open and we’ll read it. We use natural language processing [NLP] and some different pipelines to get the content out of that and understand what it is and what it’s about. We can then do the job a human would do if they had the time and the highlighters.”
Based on the AI’s understanding of the content and context of the data it encounters, the platform can then recommend appropriate and fully traceable security classification and protection measures based on the prevailing regulatory environment, organisational risk profile, or both.
These capabilities are also extensible to legacy records that may have missing or outdated labels, which means it can classify data retrospectively, detect what might have been over- or under-secured, and continuously review documents as their content and any legal regulations evolve.
Greaves said this classification process is transparent, explainable and, above all, contestable if needed, meaning the platform complies with ethical AI standards.
“Castlepoint, with explainable AI and true auto-classification at its core, can increase labelling accuracy and coverage without disrupting the essential work of MoD personnel,” said Greaves.
“We are a trusted technology provider for public sector organisations and enterprises in Australia and New Zealand, and having now established our global headquarters in London, we look forward to delivering our proven solutions to many more organisations in the UK.”
The Castlepoint solution will be delivered at the MoD in partnership with Certes IT Solutions, a West Midlands-based managed services provider that has extensive experience with UK government bodies. Certes’ roster of case studies includes the Driver and Vehicle Standards Agency (DVSA), the Medicines and Healthcare products Regulatory Agency (MHRA), and the Trading Fund Government Department via the Government Digital Service (GDS).
