The Metropolitan Police has been advised by IT experts to carry out a thorough investigation of its cyber security practices following a data breach.
The Met said: “The company had access to names, ranks, photos, vetting levels and pay numbers for officers and staff. The company did not hold personal information such as addresses, phone numbers or financial details. Security measures have been taken by the MPS as a result of this report.”
Scotland Yard said it had also reported the incident to the National Crime Agency and to the Information Commissioner’s Office.
The incident came only three weeks after the Police Service of Northern Ireland (PSNI) admitted a “monumental” data breach after it mistakenly posted the personal details of its entire workforce online.
Cyber security experts said the latest data breach was “extremely worrying” but not unsurprising.
Criminals Looking for ‘Weakest Link’
He said the Met breach appeared to be, “a targeted attack to test the security within the supply chain” and said criminals were often, “looking for the weakest link.”Mr. Moore said: “The Met police are extremely good at keeping their own data secure, but they do use third parties. As they have to use these parties, if they aren’t up to date with their own security then that becomes a weakness that could be targeted.”
He said: “When you amalgamate systems, particularly when police forces join together, they tend not to understand completely where all their data is or who has access to it, and that can cause problems down the line.”
“They need to do a complete analysis on who has access, why they have access to their data, and to reduce all of those weak points as best they can,” he added.
Mr. Moore said: “It will take time, not necessarily too much money, but it will take resources and people power to mitigate this in the future, and hopefully something like this will shake the boots of all the chiefs around the country to wake up and act faster.”
Kevin Curran, professor of cyber security at Ulster University, said the breach was likely to be down to “a third-party supplier issue.”
He said: “I’m not surprised really, data breaches are such a common occurrence and police are no exception. They have the same resources as a lot of other companies, where any data systems which have external access to the internet are a risk.”
Mr. Curran said: “It boils down to resources. Every organisation has to allocate a percentage of their IT budget to cyber security. It’s a publicly-funded organisation so there’s only a finite amount of resources you have, but we do have best practices and guidelines in the industry on how to protect the systems, so maybe it comes down to someone conducting an external audit in the aftermath to see whether or not they are following these practices.”
Earlier this month the PSNI’s Chief Constable Simon Byrne confirmed apologised for the “serious and grave crisis” caused by the “industrial scale” data leak which led to the names and employment details of 10,800 officers and civilian staff being posted on a publicly accessible website for up to three hours.
There were concerned that dissident Irish republicans had got hold of the data.
On August 19, Christopher O'Kane, 50, was charged with possession of documents or records likely to be useful to terrorists and possession of articles for use in terrorism.