Met Police Contractor Hack Places Officer Data At Risk

Data belonging to the Metropolitan Police has been compromised after the IT systems of a contractor were hacked.

The Met Police confirmed at the weekend that it “has been made aware of unauthorised access to the IT system of a Met supplier.”

The breach is potentially serious, as it exposes the names, ranks, photos, vetting levels and pay numbers for 47,000 Met police officers and staff. This is the latest of a number of breaches affecting a UK police force.

Met breach

In its statement, the Met police said “we have been working with the company and understand that their security breach does include Metropolitan Police data.

However it seems that the contractor had access to names, ranks, photos, vetting levels and pay numbers for 47,000 officers and staff.

The good news is that the contractor did not hold personal information such as addresses, phone numbers or financial details.

“Security measures have been taken by the MPS as a result of this report,” said the Met police. “The MPS has reported the matter to the National Crime Agency and the Information Commissioner’s Office.”

It has been widely reported in the media that the hacked contractor was responsible for printing warrant cards and staff passes.

Rick Prior, vice chair of the Metropolitan Police Federation, told Sky News any potential leak “will cause colleagues incredible concern and anger”.

“We share that sense of fury… this is a staggering security breach that should never have happened,” he reportedly said.

“Given the roles we ask our colleagues to undertake, significant safeguards and checks and balances should have been in place to protect this valuable personal information which, if in the wrong hands, could do incalculable damage,” Prior reportedly said.

“The men and women I represent are justifiably disgusted by this breach,” Prior was quoted by Sky News as saying. “We will be working with the force to mitigate the dangers and risks that this disclosure could have on our colleagues. And will be holding the Metropolitan Police to account for what has happened.”

Police hacks

Hacks of UK police forces have lessened in recent years, after Big Brother Watch had reported in 2016 that there had been more than 2,000 breaches of personal data since 2011.

But in the past couple of months there have been notable incidents.

Earlier this month Norfolk and Suffolk police admitted that personal identifiable information on crime victims had been compromised.

Norfolk and Suffolk police admitted “an issue relating to a very small percentage of responses to Freedom of Information (FOI) requests for crime statistics, issued between April 2021 and March 2022.”

Shortly before that the Police Service of Northern Island had admitted that a FOI request had accidentally exposed the names and locations of every police officer in Northern Ireland – valuable data that has wound up in the hands of dissident republicans.

Hornets’ nest

Paul Brucciani, cyber security advisor at cyber threat specialist WithSecure, said the hackers by compromising police data have stuck their hand into a hornets’ nest and may soon regret drawing attention to themselves.

Brucciani said there are far easier ways to obtain personal information. It is also possible that the hack was perpetrated directly or indirectly by a state-sponsored group for geopolitical reasons.

“To add context to the remarks made by Rick Prior, vice chair of the Metropolitan Police Federation, 27 percent of companies worldwide have suffered a data breach costing more than US $1m since Oct 2019,” said Brucciani.

“Online organisations put themselves in the firing line of cyber threats every single day,” Brucciani added. “You can’t eliminate these outside threats any more than you can control the rain.”

Brucciani however said organisations can be prepared by:

• minimising the organisation’s attack surface – all possible entry points for unauthorised access into any system – and place obstacles in the path of the attacker.
• minimising the number of internet-facing assets; closing unneeded open ports; identifying all physical and digital elements that are accessing the network; and identifying and prioritising for remedial action the vulnerabilities within your internet-facing software and your supply chain (the source of this attack).
• managing residual risks by enforcing appropriate security policies, proactive detection and response to threats and regular testing and validation of their security incident response plan.
• implement multi-factor authentication wherever possible or enforce strong passwords.

“Taking these steps will make your organisation a less attractive target for criminals,” Brucciani concluded.