Victoria police has yet another problem with data security… new breaches familiar pattern of behaviour

October 16, 2016 |

Misuse of confidential information and regular data breaches has been a longstanding and systemic problem for the Victorian Police Force.  In the past two years I have posted on problems with the misuse of the LEAP database, which contains personal information of Victorians, here and here.  Police documents containing sensitive personal information were found in the possession of outlaw bikie gang members in 2013.

In his 2016 annual report Victorian Commissioner for Privacy and Data Security set out problems in the Victorian Police with data management.  There was a 36% increase in data security breaches over the previous year.  The Commissioner identified 453  “Information security incidents”, broken down as follows:

Lost or Stolen Police Certificates of Identity  207

Unauthorised Release or Disclosure of Information  40
Data Spill (including exposure to police information)  32
Unauthorised Access  27
Theft or Loss of Asset  21
Malware Infection  19
Abuse of Privilege  18
Failure of Process  10
Threat to Facility  9
Unprofessional Conduct 9
 Access Controls 5
Denial of Service 5
Other Event 5
Password Confidentiality 5
Stolen Victoria Police Credentials 5
Unauthorised Changes to Information, Applications, Systems or Hardware 5
Configuration Error 4
Fraudulent Activity 3
Damage to Asset 1
Social Engineering 1
Suspicious System Behaviour or Failure 1

The Commissioner undertook a longitudinal survey of members and made the following, concerning, findings:

  • knowledge as to what constitutes ‘law enforcement data’ is not well established
  • a substantial minority of sworn members would ‘work around’ an issue to get the job done rather than adhere to restrictive policy and procedure
  • member highlighted concern around lack of adequate storage space driving personal holdings of law enforcement data; and a high perceived likelihood that third party contractors would be unsupervised on station premises
  • members highlighted three broad areas of data security breach risk (by likelihood) including:
— the use of personally owned electronic equipment to capture and store law enforcement data
— requirements to operate out of unsecured offices
— the electronic transfer of law enforcement data, particularly through the use of USBs
  • the highest incidence of personally owned (and used) technology centred on mobile phones, USBs, and portable audio/visual recording devices

These issues are not unknown in data  management.  The problem is that it is a problem in the Victoria Police where data security is critically important.

The ABC provided a useful summary of the report at Victoria Police security breaches rose by 30 per cent this year, ‘extremely concerning’ report shows which provides:

A State Government report has revealed what the Opposition is calling a “shocking” 30 per cent rise in security breaches in Victoria Police.

It found in the past financial year, 207 police identification tags went missing, 27 incidents of police officers inappropriately accessing computer systems and 40 cases of police data released without authorisation.

Some officers are also using their own mobile phones, computers and equipment to record data.

Opposition spokesman Edward O’Donohue said the increased number of incidents was shocking, given the consequences could be significant.

“It’s an extremely concerning report given sensitive nature of some of that information if it found its way into the wrong hands,” he said.

“Police obviously handle very sensitive information about investigations, about informants and about other persons of interest.

“If this information found its way into the wrong hands, it could have serious ramifications.”

Mr O’Donohue said the incidents highlighted a wider issue.

“Police are stretched, police are under pressure and we clearly need more police,” he said.

“We also need more rigorous adherence to the protocols and the systems that are in place to ensure these sorts of things don’t happen.”

The State Government has been contacted for comment

The Herald Sun also covers the report and issue quite well in Victoria Police under fire for sharp rise in security breaches which provides:

EXCLUSIVE: VICTORIA Police has been slammed for a massive rise in security breaches which has sparked an unprecedented amnesty for officers.

A scathing government report has found 453 “information security incidents” in the past financial year, up 36 per cent on the year before, fuelling fears public safety was being put at risk.

The Privacy and Data Protection report found statewide:

207 police IDs lost or stolen;

27 incidents of police officers inappropriately accessing computer systems;

40 cases of police data released without authorisation; and

21 thefts or loss of an asset.

It can also be revealed police are using their own mobile phones, computers and equipment to record critical data.

Commissioner David Watts also ordered a second investigation into how police were protecting intelligence at three random stations: Morwell, Mansfield and Dandenong.

It found:

OFFICERS were capturing, storing and sending intelligence on their personal phones and computers, meaning the data was taken to crime scenes and unsecured locations.

SIGNIFICANT volumes of law enforcement data was being stored under desks and in personal lockers, rather than being securely filed.

UNSWORN staff had “limited or no awareness” of data security procedures and received no training about it even though they had “substantial and significant” exposure to intelligence.

Victoria Police moved to set up an amnesty so that “personal holdings” of law enforcement information among officers could be archived or destroyed.

Opposition police spokesman Edward O’Donohue said public safety could be at risk as confidential police information found its way into the community.

“Victoria Police data security breaches have increased a staggering 36 per cent with police identity and other information lost,” he said.

The force’s security incident registry shows of the recorded 453 incidents last year — up from 332 — one was considered to be “major” and 20 were deemed to be of “moderate” concern.

Police also reported 19 cases where malware infected the force’s computer systems.

Mr Watts surveyed more than 2000 officers, many of whom admitted to ignoring security policies so they could work more efficiently.

“Personal holding of law enforcement data continues to have a high likelihood of occurrence driven by limited storage space, a continued reliance on hard copy as well as electronic data, and the belief in the need to capture personal records of work activities,” the report said.

Victoria Police welcomed the Commissioner for Privacy and Data Protection’s report.

“We have been working closely with the Commission on a range of initiatives to improve information security within Victoria Police,” spokeswoman Sgt Anthoula Moutis said.

“Victoria Police takes security seriously and our commitment to this is evidenced in the cultural reform program we have been implementing.”

“This has included steps to lift the awareness of security issues in our workforce.”

She said the increase of incidents recorded by Victoria Police’s security incident register was an “anticipated result” of work to improve awareness of security issues.

“Such reports are encouraged because they provide important information on the risks and issues that we need to address,” Sgt Moutis said.

Police will consider Mr Watts’s final report before determining whether to make further changes.

Peter Morrissey SC, one of the state’s most respected criminal barristers and chair of the Criminal Bar Association, told the Sunday Herald Sun that slack data protection protocols were a serious threat to the integrity of the justice system.

“The problem is they need to have strong guidelines so that they know that if they capture information off the grid, as it were, then it is clear that they have to get it back on the grid. The informant, or co-ordinator of any prosecution, needs to know.”

Mr Morrissey said data integrity could be improved if more officers were recruited. “One way of ensuring data is kept properly is employing more police so they have time to properly handle and file information,” Mr Morrissey said.

Mr Watts is expected to hand his final report and recommendations to Victoria Police soon.

Victoria Police was unable to comment yesterday.

The State Government did not comment by press time.

The real problem is the lack of consequence for data breaches. Dismissal should be a likely outcome for an advertent breach.  It is relevant to note that prosecutions would be a real possibility if the more serious data breaches occurred in the United Kingdom. As a cynical aside the Annual Report was released late in the week, ensuring the reportage is confined to the weekend papers and news services.

2 Responses to “Victoria police has yet another problem with data security… new breaches familiar pattern of behaviour”

  1. Victoria police has yet another problem with data security… new breaches familiar pattern of behaviour | Australian Law Blogs

    […] Victoria police has yet another problem with data security… new breaches familiar pattern of behav… […]

  2. It is me.

    To Dear Peter,

    I have enjoyed reading this blog entry, keep up the great work !


Leave a Reply

Verified by MonsterInsights