[ad_1]
The Metropolitan Police was warned about outsourcing the production of warrant cards years before a cyber hack which may have exposed the identity of thousands of officers.
Scotland Yard said it was investigating a possible breach and had put security measures in place after being made aware of “unauthorised access to the IT system of one of its suppliers”.
Mark Rowley, the Met’s commissioner, has now ordered a review into the arrangement with third parties after the incident raised “wider concerns”.
The contractor is understood to have had access to names, ranks, photos, vetting levels and pay numbers for all of the force’s 47,000 officers and staff.
The Metropolitan Police Federation, which represents 30,000 staff, warned the data breach could cause “incalculable damage”.
Rick Prior, the organisation’s vice -chairman, said the force had been made aware of the potential dangers of outsourcing operationally sensitive material to third parties years before.
Sensitive information
“When this was proposed about three years ago we did flag concerns with the Met around this issue, or potential issue in terms of external agencies being in possession of what amounts to sensitive personal information,” he said.
“Certainly, operationally sensitive information such as vetting, a picture and a name are three items that when put together are very sensitive. It’s very concerning for lots of officers out there, a number of who had sleepless nights.
“Metropolitan Police officers are, as we speak, out on the streets of London undertaking some of the most difficult and dangerous roles imaginable to catch criminals and keep the public safe. To have their personal details potentially leaked out into the public domain in this manner – for all to possibly see – will cause colleagues incredible concern and anger.”
He added: “Given the roles we ask our colleagues to undertake, significant safeguards and checks and balances should have been in place to protect this valuable personal information which, if in the wrong hands, could do incalculable damage.”
The National Crime Agency, the National Cyber Security Centre and the Information Commissioner’s Office have all been advised. Met Police bosses also sent a message to staff, urging them to “remain vigilant”. Personal addresses and phone numbers were not included in the breach.
Third-party companies a frequent target
Cyber security experts said the possible leak was “extremely worrying” adding that attackers frequently target third-party companies.
Jake Moore, global cyber security adviser for software firm ESET, said: “This is another extremely worrying episode of what we seem to be seeing quite a lot of this year. It’s just worrying to think these police forces are coming under attack in what I would suggest are relatively simple ways.”
The Met has an official “supplier code of conduct” in which it highlights cyber security as being a critical issue.
The National Crime Agency said it was “aware of the cyber incident” and “working with law enforcement partners to understand the impact”.
A spokesman for the Met, said: “Over the past decade we have outsourced more functions than ever before. This was largely driven by austerity.
“Whilst we all recognise that there are many roles beyond policing where others have capabilities beyond ours we must be clear-eyed about data held by suppliers in the increasingly complex cyber threat context we operate within. All of our contracts do include strict data security and testing requirements but we must and will look again.”
The review will look at the length of time data is held, the amount of data that is supplied, and whether the suppliers security measures have been tested robustly enough.
The breach comes just weeks after the Police Service of Northern Ireland admitted it had mistakenly published personal information about all its 10,000 staff.
Norfolk and Suffolk Police later announced it had mistakenly released information about more than 1,200 people, including victims and witnesses of crime, also following an FoI request.
And last week, South Yorkshire Police referred itself to the information commissioner following the deletion of bodycam footage stored on its systems, a loss which it said could affect at least 69 cases.
[ad_2]
Source link