Gwent Police is being investigated after allegedly failing to inform hundreds of people, that hackers may have accessed their confidential reports to the force.
Sky News has learned that up to 450 people who filed reports through an online tool over a two-year period could have been put at risk by hackers due to security flaws.
Although the tool was decommissioned after an internal security review discovered that confidential information was being exposed, the force did not inform the individuals who were affected.
In what may amount to a breach of its responsibilities under the Data Protection Act, the force also failed to notify the Information Commissioner's Office until it was contacted by Sky News.
This week, a spokesman for the force said: "Gwent Police has recently contacted the Information Commissioner's Office (ICO) and confirmed that formal notification will be provided for consideration.
"Data integrity is of paramount importance to Gwent Police and we continually review our governance procedures to minimise the risk of data breaches."This week, a spokesman for the force said:
The potential breach was discovered in February 2017, when the force said an immediate "investigation was commenced to establish whether any data had been accessed".
However, the investigators found that the web server logs from the hosting company which could reveal whether hackers had accessed the reports only stored access information covering the previous 24 hours.
The tool was created by the force's digital development team and is understood to be unique to the force.
An ICO spokesperson confirmed: "We've been made aware of an incident involving Gwent Police and will be making enquiries."by Author
"I am responsible for monitoring and scrutinising the performance of Gwent Police. I will be asking the chief constable for a full and comprehensive report on data breaches and the process in place for identifying and acting upon them.
"Moving forward, I will seek reassurance that the protection of personal data of the public we serve is of paramount importance and that any lessons learnt from previous breaches are implemented with immediate effect."by Author
A spokesperson for the force told Sky News: "We are not able to confirm whether this data had been accessed.
"However, in mitigation, for someone to access this data, they would have had to been actively looking on the specific area of the site, had a reasonable level of technical skill and known a complex URL (which was long in length and a mixture of random characters).
"There has been no other form of communication (complaints or any malicious activity on our security system). It was concluded that there was a high probability no data had been accessed and no risk to any individuals."by Author
Gwent Police's failure to report the potential breach stands in stark contrast to a breach at Uber, where the company is accused of paying a hacker to conceal the confirmed theft of information belonging to 57 million customers.
Speaking to Sky News, Raef Meeuwisse, the author of Cybersecurity for Beginners, said:
"The response of any organisation to a potential data breach should always reflect the value or sensitivity of the information involved.
"In this case, it is surprising that the team dealing with this on behalf of Gwent Police do not appear to have considered this a notifiable incident.
"Gwent Police did not have the means to verify if any copy of the sensitive data posted on the internet had been taken.
"Despite this, they also chose not to contact the 450 people or organisations to alert and support them and they also decided not to report the matter to the ICO or any other entity."Raef Meeuwisse
Mr Meeuwisse, who has been involved as a consultant in many high-profile breach responses during his career, added: "Although it is good news that it was a security review for Gwent Police that identified the issue, the process from that point onwards seems to have fallen over."
IS Know How's Further Thoughts:
There are Three key takeaways from this potential breach.
- If it wasn't for the "Internal Security Review", then this possible breach of the purported 450 Data Subject's Personal and / or Sensitive Information would have gone unnoticed by all parties, unless it of course appeared within online channels that are often utilised by Threat Actors. However, this does go to show, one of the many benefits to carrying out a periodic security review, which your own Third Sector organisation may well benefit from also.
- The fact that as reported, Gwent Police failed to notify either the Breached Data Subjects, or the relevant Authorities is somewhat concerning, when we think of a regional Police Force and whom are definitely in a position of trust with our Data, as much as they are with doing the wonderful jobs they do within and for our communities. It will be interesting to see how this is dealt with and what the final resulting action, if any, is taken by the Information Commissioner's Office (ICO) in relation to this breach.
- Finally, it is important to bring attention to the fact that it does NOT matter the size of an organisation or the type, which as in this instance being a Police Force, or recently where even the Information Commissioner's Office (ICO) experienced a breach. It is nowadays very much a likelihood, that your organisation will experience a data breach of some magnitude and especially if you aren't suitably prepared right throughout your organisation. It really is all about focusing on 'How Well Prepared is your Third Sector Organisation to Mitigate such an Event in the Future?' and if you are not, you must act in a timely and responsible manner to connect the missing parts in your Data & Cyber Security positioning.
IS Know How can provide your Charity, Social Enterprise or Not-for-Profit with several types of 'Proactive & Affordable Cyber Resilience Services', which are 'Fully Managed, So You Don't Have To' that can be deployed to cover Desktop & Server Endpoints, Email Mitigation, along with Website DDoS Mitigation and you can see those detailed below.
If there is anything else at all that you would like to enquire about, please Call Us on: 02921-679-021 during business hours, or alternatively open a New Support Ticket 24x7x365, and we will respond as promptly as possible.
We look forward to engaging with your Third Sector Organisation, where we combine the 'Complexity of Cyber Security, with the Simplicity of your organisations risks being Managed For You'.