Categories: Security

ICO: Met Police Use Of Windows XP Risks User Data Security

The Information Commissioner’s Office (ICO) has criticised the Metropolitan Police Service (MPS) over its continued use of Windows XP, amongst other factors that it said “limited” the level of assurance that personal data was handled securely.

The ICO carried out an audit of the MPS’ compliance with the Data Protection Act earlier this year, with the MPS’ consent, and found there was “considerable scope for improvement” in its arrangements.

‘Risk to personal data’

It praised the MPS on several points, including guidance given to staff in the MPS security manual and METSEC code, the presence of an Information Assurance Unit with an internal audit plan and visible reminders to staff of policies such as clear desk and clear screen requirements.

But it said the service’s use of Windows XP on some desktop and laptop computers mean there was a “residual risk to personal data” due to the fact that critical patches are no longer available for the platform.

The regulator also took the Met to task over its backup and disaster recovery systems, saying backup arrangements for file systems aren’t tested to ensure they are recoverable in the event of a disaster.

Some business continuity plans are incomplete or overdue for review, with some not having been tested and lacking information on how to maintain or recover records if required.

Applications ‘slow upgrades’

The database used to store business continuity plans is unsupported and isn’t backed up, the ICO said.

The ICO also noted weaknesses in MPS’ procedures for removing access to applications and buildings once they’re no longer required, creating the risk of unauthorised access to buildings.

“There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance,” the ICO said in an executive summary of its findings.

The Met responded that it is currently undertaking to renew its IT infrastructure and equipment such as desktop computers, but said upgrades were complicated by the use of specialised applications that might not necessarily be supported on newer platforms.

“Replacements or remediation for this software that are compatible with a more modern operating system have to be ready before the roll-out is completed to ensure continued operational effectiveness,” the MPS stated.

The force added that it has upgraded more than 17,000 devices to Windows 8.1, reducing the number of desktops running Windows XP to about 10,000.

The NHS has also been criticised for its ongoing reliance on Windows XP, but security experts said this fact didn’t contribute to disruption caused by the recent WannaCry ransomware worm, with 97 percent of the systems affected running Windows 7.

Windows XP remained largely unaffected by the worm, since the attack technique used by WannaCry failed to cause an infection, merely causing the platform to crash, researchers found.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Amazon Boss Denies Return To Office Mandate Is ‘Backdoor Layoff’

CEO Andy Jassy tells Amazon staff that the recent 5-day in-office mandate is not meant…

16 hours ago

Apple Set To Be Fined Under EU’s Tough DMA – Report

Tech giant Apple could be facing another hefty financial penalty, amid a report the EU…

17 hours ago

Serco Tracking Devices On Prison Vans Disabled After Cyberattack

Worrying development. Cyberattack on third party supplier disables tracking systems and panic alarms in Serco…

19 hours ago

UK Orders Chinese Entity To Sell Stake In Scottish Chip Firm FTDI

Chinese owner of Scottish fabless semiconductor firm FTDI ordered to sell majority stake, due to…

22 hours ago

Watchdog Says Vodafone, Three Merger Could Proceed With Certain Remedies

British competition regulator provisionally finds Vodafone, CMA merger can proceed, if 'remedies' on pricing and…

23 hours ago