Yet another data breach in the UK Police force..this time hackers attack the Met
August 29, 2023 |
I
f it wasn’t for bad luck the various UK police services would have no luck at all. The Times reports that the Metropolitan Police have suffered a data breach. This time the photos, names and rank of 47,000 personnel may have been exposed to hackers. The means of entry to the Metropolitan site, through a compromised IT system of a contractor engaged to print police warrant cards. The implications of this data breach are particularly serious and multi pronged. Not only do the hackers have details of police and their warrant card numbers but also there is the potential of creating false warrant cards.
Hackers regularly use 3rd party contractors as means of access to the intended target or get data belonging to the intended target. Small contractors tend to have less effective and extensive cyber security defences and large businesses use a lot of contractors.
The Times article provides:
Officers and staff at the Metropolitan Police have been warned that their details may have been exposed to hackers in a data breach.
The photos, names and ranks of 47,000 personnel may have been compromised after the IT systems of a contractor commissioned to print warrant cards and staff passes were penetrated.
The breach, first revealed by The Sun on Sunday, has been reported to the National Crime Agency and the Information Commissioner’s Office over fears employees could be put at risk if their details fall into the hands of terrorists or organised gangs.
It is understood police chiefs have sent a message to staff urging them to “remain vigilant”.
It comes after the Police Service of Northern Ireland (PSNI) revealed this month that names, ranks, locations and other personal information of 10,000 staff were mistakenly published online. MI5 cyberexperts are rushing to identify those who downloaded the document amid fears personnel could be at risk.
The Met confirmed details of the hack to The Sunday Times but was “not in a position to say” if officers’ information had been exposed to hackers as it first “had to investigate” the breach with the contractor.
The force said in a statement: “We have been made aware of unauthorised access to the IT system of a Met supplier. We are working with the company to understand if there has been any security breach relating to Metropolitan Police data.
“The company had access to names, ranks, photos, vetting levels and pay numbers for officers and staff. The company did not hold personal information such as addresses, phone numbers or financial details.
“Security measures have been taken by the MPS as a result of this report. The MPS has reported the matter to the National Crime Agency. The Information Commissioner’s Office is also aware.’’
John O’Connor, a former Met commander, described the breach as “utterly outrageous” and said that “anyone using these details to produce a warrant card or pass could gain access to a police station or secure area.”
Rick Prior, from the Police Federation, said it was a “staggering security breach” which could do “incalculable damage”.
Last week, Norfolk and Suffolk constabularies admitted breaching the data of 1,230 people — including victims and witnesses — due to a “technical issue”. The forces said the breach resulted in data such as names, addresses and date of birth being included within files which were as part of a response to a freedom of information request.
In April, Oliver Dowden, the Cabinet Office minister, warned at a security conference in Belfast that Russian cybermercenaries were increasingly targeting Britain and attempting to “disrupt or destroy” critical infrastructure.
In January one Ukraine’s top officials said Russian hackers were targeting British critical infrastructure. Viktor Zhora said: “Russia has highly professional military hackers who have served in the intelligence services for a long time. The UK should be aware of these potential evolving threats from Russia.”
What are the implications of this data breach for the Metropolitan Police and for the public? What steps can the police take to improve the security of their data systems?