Data protection act violation? Welsh police force may be in trouble after it fails to notify people of potential data breach
Gwent police is being investigated after it was revealed hundreds of confidential reports from members of the public may have been exposed to criminals over two-year period.
And to make matters worse, it is reported that the potential data breach was only reported to the Information Commissioners Office (ICO) when a media outlet broke news about the issue.
News that Gwent Police is being investigated by the ICO emerged from Sky News this week, after it learned that up to 450 people who filed reports via an online tool over a two-year period could have been put at risk by hackers due to security flaws.
It seems that despite the fact that the online tool was decommissioned after an internal security review discovered that confidential information was being exposed, Gwent police did not inform the affected individuals.
And even worse, Gwent police seems to have sat on this information for over a year before informing the Information Commissioner’s Office.
By not notifying the Information Commissioner’s Office until it was contacted by Sky News about the matter, it could mean that the police force has breached its responsibilities under the Data Protection Act.
“Gwent Police has recently contacted the Information Commissioner’s Office (ICO) and confirmed that formal notification will be provided for consideration,” a spokesman for the force told Sky News.
“Data integrity is of paramount importance to Gwent Police and we continually review our governance procedures to minimise the risk of data breaches.”
It seems that the potential breach was discovered in February 2017, when the force said an immediate “investigation was commenced to establish whether any data had been accessed.”
But this investigation has been hampered by the fact that the hosting firm in question only stored web server logs from the previous 24 hour period.
The online reporting tool was created by Gwent police’s digital development team and is understood to be unique to the force.
“We’ve been made aware of an incident involving Gwent Police and will be making enquiries,” an ICO spokesperson told Sky News.
And the Police and Crime Commissioner for Gwent, Jeff Cuthbert, also told Sky News he would also be investigating the incident.
“We are not able to confirm whether this data had been accessed,” a Gwent police spokesperson told Sky News.
“However, in mitigation, for someone to access this data, they would have had to been actively looking on the specific area of the site, had a reasonable level of technical skill and known a complex URL (which was long in length and a mixture of random characters),” they said.
“There has been no other form of communication (complaints or any malicious activity on our security system),” said the police spokesperson. “It was concluded that there was a high probability no data had been accessed and no risk to any individuals.”
Javvad Malik, security advocate at AlienVault:
Being breached isn’t necessarily something that can be completely avoided and most companies will face a breach or near-breach at some point. With this in mind, it is important that companies have appropriate threat detection controls in place that can identify when a breach has occurred as soon as possible so that the appropriate response can be taken.
The response will involve isolating infected systems, assessing damage, and equally important issuing relevant notifications. This could be to partners, shareholders, regulators, and customers. This is of particular importance where personal information is disclosed and will be an area that will be scrutinised with more rigour once GDPR comes into force.
One security expert was less than impressed at Gwent police’s slow reaction to the potential breach however.
“That a data breach occurred through an online tool used by Gwent police is hardly shocking given the number of other breaches, reported and otherwise, that occur across the internet all year round,” explained Lee Munson, security researcher at Comparitech.
“What is shocking, though, is the fact that it went undetected for two years and then, when it was discovered, the incident response was sadly lacking,” Munson said. “Not only did the force ignore the fact that it should have informed the Information Commissioner’s Office but, worse, it did not consider the 450 or so people who may have had personal or other sensitive information compromised.”
“Worse than that, the assertion from a spokesperson that it was highly unlikely that a potential attacker could have swiped any data is dangerous thinking which may lull affected persons into thinking they need do nothing,” he added.
“In reality, affected persons should be considering the nature of the information they shared with Gwent police and checking email accounts for targeted phishing attempts, reviewing online banking accounts and changing passwords, as appropriate,” he concluded.
Another expert urged organisations to ensure they have the appropriate threat detection controls in place.
“Being breached isn’t necessarily something that can be completely avoided and most companies will face a breach or near-breach at some point,” said Javvad Malik, security advocate at AlienVault.
“With this in mind, it is important that companies have appropriate threat detection controls in place that can identify when a breach has occurred as soon as possible so that the appropriate response can be taken,” said Malik. “The response will involve isolating infected systems, assessing damage, and equally important issuing relevant notifications.”