ICO: Met Police Use Of Windows XP Risks User Data Security

The Information Commissioner’s Office (ICO) has criticised the Metropolitan Police Service (MPS) over its continued use of Windows XP, amongst other factors that it said “limited” the level of assurance that personal data was handled securely.

The ICO carried out an audit of the MPS’ compliance with the Data Protection Act earlier this year, with the MPS’ consent, and found there was “considerable scope for improvement” in its arrangements.

‘Risk to personal data’

It praised the MPS on several points, including guidance given to staff in the MPS security manual and METSEC code, the presence of an Information Assurance Unit with an internal audit plan and visible reminders to staff of policies such as clear desk and clear screen requirements.

But it said the service’s use of Windows XP on some desktop and laptop computers mean there was a “residual risk to personal data” due to the fact that critical patches are no longer available for the platform.

The regulator also took the Met to task over its backup and disaster recovery systems, saying backup arrangements for file systems aren’t tested to ensure they are recoverable in the event of a disaster.

Some business continuity plans are incomplete or overdue for review, with some not having been tested and lacking information on how to maintain or recover records if required.

Applications ‘slow upgrades’

The database used to store business continuity plans is unsupported and isn’t backed up, the ICO said.

The ICO also noted weaknesses in MPS’ procedures for removing access to applications and buildings once they’re no longer required, creating the risk of unauthorised access to buildings.

“There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance,” the ICO said in an executive summary of its findings.

The Met responded that it is currently undertaking to renew its IT infrastructure and equipment such as desktop computers, but said upgrades were complicated by the use of specialised applications that might not necessarily be supported on newer platforms.

“Replacements or remediation for this software that are compatible with a more modern operating system have to be ready before the roll-out is completed to ensure continued operational effectiveness,” the MPS stated.

The force added that it has upgraded more than 17,000 devices to Windows 8.1, reducing the number of desktops running Windows XP to about 10,000.

The NHS has also been criticised for its ongoing reliance on Windows XP, but security experts said this fact didn’t contribute to disruption caused by the recent WannaCry ransomware worm, with 97 percent of the systems affected running Windows 7.

Windows XP remained largely unaffected by the worm, since the attack technique used by WannaCry failed to cause an infection, merely causing the platform to crash, researchers found.

Do you know all about security in 2017? Try our quiz!