Scotland Yard Probes Impact of Suspected Hack Attack Against Service Provider
London’s Metropolitan Police Service is investigating a serious data breach that may have exposed names, ranks and photographs for potentially all 47,000 personnel.
See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense
The force told staff it’s still probing the “unauthorized access to the IT system of a Met supplier” and that it’s not yet clear when or how it occurred, or how many individuals might be affected.
“We are working with the company to understand if there has been any security breach relating to Metropolitan Police data,” the Met said in a statement. “The company had access to names, ranks, photos, vetting levels and pay numbers for officers and staff. The company did not hold personal information such as addresses, phone numbers or financial details.”
The Met Police is responsible for policing greater London – with the exception of the City of London financial district – which has 8.6 million residents. One concern with the breach is that undercover officers’ identities may have been exposed.
The Met has referred the incident to both the U.K. National Crime Agency and the Information Commissioner’s Office, which enforces the country’s data protection rules. An NCA spokesperson told the BBC the agency was “aware of the cyber incident” and “working with law enforcement partners to understand the impact.”
The breached contractor is responsible for supplying the official warrant cards that officers use to identify themselves, as well as staff passes, the Sun reported. The contractor has not been identified.
The Metropolitan Police Federation, which represents the more than 30,000 officers in the force, labeled the incident “a staggering security breach that should never have happened.”
“Metropolitan Police officers are – as we speak – out on the streets of London undertaking some of the most difficult and dangerous roles imaginable to catch criminals and keep the public safe,” said Rick Prior, vice chair of the MPF, in a statement. “To have their personal details potentially leaked out into the public domain in this manner – for all to possibly see – will cause colleagues incredible concern and anger.”
String of UK Police Breaches
The Met Police security incident follows a string of other data breach alerts from U.K. police forces. Earlier this month, the Police Service of Northern Ireland warned that due to “human error” when fielding a freedom of information request, the force had inadvertently exposed personal details for all 9,276 serving police officers and staff.
The breach exposed first initials and surnames, roles and locations for each individual. The PSNI said it has identified personnel for whom their personal – or family’s – security is at heightened risk as a result, and has been advising them on how to best mitigate that risk.
Extremists remain a serious threat, and the PSNI warned that it believed they had obtained copies of the data. In March, the U.K. government raised the terrorist threat level in Northern Ireland in March to “severe” following the attempted assassination of an off-duty police officer in Omagh, County Tyrone.
Since the data breach, PSNI detectives have made two arrests under the Terrorism Act in connection with individuals who may have obtained the information.
Days after that breach occurred, the PSNI disclosed that in July, it suffered another breach after a laptop and notebook fell from an officer’s moving vehicle on the M2 motorway in north Belfast. While “the laptop was immediately deactivated and has since been recovered,” the force said parts of the notebook remain missing, including pages containing personnel information for “42 officers and staff,” who have been directly notified.
Also this month, the constabularies of Norfolk and Suffolk in England warned that they too had accidentally exposed information when responding to multiple freedom of information requests. The exposed information on 1,230 individuals pertains to crime reports.
“The data includes personal identifiable information on victims, witnesses and suspects, as well as descriptions of offenses,” the constabularies said. “It related to a range of offenses, including domestic incidents, sexual offenses, assaults, thefts and hate crime.”
Last week, yet another police force breach came to light. On Wednesday, England’s South Yorkshire Police reported that it had referred itself to the ICO “after the force noticed a significant and unexplained reduction in data stored on its systems.” The force said digital forensic experts are attempting to recover nearly two years of police body cam footage
– recorded from July 2020 through May – of officers attending an incident or engaging with members of the public.
“Approximately 69 cases have been identified as potentially affected by the loss of data and we are working closely with the victims and the Crown Prosecution Service,” the force said.
“There may be implications for victims and witnesses and the wider criminal justice system as some of this footage may be evidence in upcoming court cases” of both a criminal and civil nature, said South Yorkshire Police and Crime Commissioner Alan Billings in a statement. “The force is working through the implications and direct contact is being made with those affected.”