Gwent Police is being investigated after failing to inform hundreds of people that hackers may have accessed their confidential reports to the force. Sky News has learned that up to 450 people who filed reports through an online tool over a two-year period could have been put at risk by hackers due to security flaws. Although the tool was decommissioned after an internal security review discovered that confidential information was being exposed, the force did not inform the individuals who were affected.
Gwent Police’s failure to report the potential breach stands in stark contrast to a breach at Uber, where the company is accused of paying a hacker to conceal the confirmed theft of information belonging to 57 million customers. IT security experts commented below.
Paul Walker, Technical Director at One Identity:
“It’s encouraging to see Gwent Police taking a proactive approach to security by performing a review that apparently discovered confidential personal information was being exposed. Although this leak may have been prevented by performing penetration tests and security audits before the online tool was exposed to the public.
Decommissioning their flawed online tool was absolutely the right thing to do. Unfortunately Gwent Police didn’t take the same proactive approach with notifying the individuals affected by the data leak that they could be put at risk by the hacking of potentially confidential information. Recent industry developments such as the EU GDPR initiative are being adopted to enforce the rights and freedoms of individuals with regards to their personal data. GDPR is to take effect not only in all EU member states , it applies to any organizations that process EU data subjects including non-EU member states, importantly #BREXIT will not change this situation for the UK.
GDPR article (33) in the event of a personal data leak notification must be made to the supervisory authority without delay including the likely consequences of the personal data breach and measures taken to address the breach, all within a 72 hour time frame as defined by article (34). It’s not just bad news for the people who have had their personal information breached GDPR goes further and in GDPR article (83) details the administrative fines for the organization that leaked the personal data. These fines application to the organization that experienced the leak can be up to 20 million Euro or 4% of annual turnover depending upon the nature of the breach the fines could be different.
As organizations put more and more services online, it presents a double-edged sword. It provides easier access to information and services, but it also increases the risk of inadvertent disclosure due to security flaws. An essential part of any application deployment should include a security incident response plan, including how to mitigate the results of an exposure, as well as notification of the affected individuals.”
Javvad Malik, Security Advocate at AlienVault:
“Being breached isn’t necessarily something that can be completely avoided and most companies will face a breach or near-breach at some point. With this in mind, it is important that companies have appropriate threat detection controls in place that can identify when a breach has occurred as soon as possible so that the appropriate response can be taken.
The response will involve isolating infected systems, assessing damage, and equally important issuing relevant notifications. This could be to partners, shareholders, regulators, and customers. This is of particular importance where personal information is disclosed and will be an area that will be scrutinised with more rigour once GDPR comes into force.”
Lee Munson, Security Researcher at Comparitech:
“That a data breach occurred through an online tool used by Gwent police is hardly shocking given the number of other breaches, reported and otherwise, that occur across the internet all year round.
What is shocking, though, is the fact that it went undetected for two years and then, when it was discovered, the incident response was sadly lacking.
Not only did the force ignore the fact that it should have informed the Information Commissioner’s Office but, worse, it did not consider the 450 or so people who may have had personal or other sensitive information compromised.
Worse than that, the assertion from a spokesperson that it was highly unlikely that a potential attacker could have swiped any data is dangerous thinking which may lull affected persons into thinking they need do nothing.
In reality, affected persons should be considering the nature of the information they shared with Gwent police and checking email accounts for targeted phishing attempts, reviewing online banking accounts and changing passwords, as appropriate.
Jan van Vliet, VP and GM, EMEA at Digital Guardian:
“Public and private organisations alike have a duty of care, not to mention legal obligation, to protect data. By failing to discover the security flaws of their online tool and appearing to disregard security best practices, Gwent Police has acted negligently. If GDPR was already in enforcement, the potential repercussions for Gwent Police could be far greater as it appears that it was in violation of two requirements of the regulation. First, under the GPDR, companies are required to use appropriate measures to protect all personal data – has this information even been encrypted? Second, companies are obliged to report suspected incidents to the authorities within 72 hours – which Gwent failed to do. The incident also reminds us of the dangers of not notifying the affected parties. Gwent Police has failed to notify victims of the potential breach, putting those affected at further risk. If personal details got into the wrong hands, hackers could have targeted victims through phishing and social engineering attacks – and the victims would have had no reason to believe anything was suspicious.”