London’s Metropolitan Police were warned about outsourcing warrant card production years before a cyber-hacking incident that may have exposed the identities of thousands of police officers.
Scotland Yard said it was aware of “unauthorized access to one of its suppliers’ IT systems” and was investigating a possible breach and was taking security measures.
Metropolitan Transportation Commissioner Mark Rowley ordered a review of arrangements with third parties after the incident raised “broader concerns.”
The contractor is understood to have had access to the names, ranks, photographs, screening levels and salary numbers of all 47,000 officers and staff in the unit.
The Metropolitan Police Federation, which represents 30,000 staff, warned that a data breach could cause “immeasurable damage”.
The organization’s vice chairman, Rick Prior, said years ago the organization recognized the potential dangers of outsourcing sensitive operational material to third parties.
Confidential information
“When this was proposed about three years ago, we raised concerns with the Metropolitan Railroad about this issue, or the potential issue of external agencies holding what amounts to sensitive personal information. ” he said.
“Indeed, operational sensitive information such as reviews, photographs, names, etc., when combined, is a very sensitive item. .
“As we speak, Metropolitan Police officers are in the streets of London, taking on the most difficult and dangerous role imaginable: catching criminals and keeping the public safe. Personal information could be leaked into the public domain in a form that would probably cause unbelievable concern and anger in my colleagues if everyone saw it.”
He added, “Given the role we expect our colleagues to play, we have taken important safeguards to protect this valuable personal information that could cause irreparable damage if it falls into the wrong hands. and checks and balances should have been put in place,” he added.
The National Crime Agency, the National Cyber Security Center, and the Office of the Director of Intelligence have all received recommendations. Senior police officials also sent messages to staff, urging them to “stay vigilant.” No personal addresses or phone numbers were included in the infringement.
Third-party companies are frequently targeted
Cybersecurity experts said the potential breach was “extremely concerning”, adding that attackers frequently target third-party companies.
Jake Moore, Global Cybersecurity Advisor at software company ESET, said: It’s just worrying to think that these police units are under attack in the relatively simple way that I propose. ”
The Metropolitan Museum of Art has an official “Supplier Code of Conduct,” which highlights cybersecurity as a key issue.
The National Crime Agency said it was “aware of the cyber incident” and was “working with law enforcement to understand the implications.”
A spokesperson for the Metropolitan Museum of Art said, “Over the past decade, we have outsourced more work than ever before, largely driven by austerity.
“While we all recognize that there are many roles other than the police in which others have capabilities beyond ours, the increasingly complex cyber threats we operate in In this situation, we must always be vigilant about the data held by our suppliers.All our contracts include strict data security and testing requirements, but we need to reconsider. There is, and I will consider it again.”
The review will consider data retention periods, the amount of data provided, and whether the supplier’s security measures have been sufficiently robustly tested.
The breach comes just weeks after Northern Ireland police admitted to accidentally releasing the personal information of all 10,000 of their staff.
Police in Norfolk and Suffolk have since said they have also erroneously released information on more than 1,200 people, including victims and witnesses to crimes, at the request of the FoI.
And last week, South Yorkshire police accused themselves of being an intelligence commissioner after body camera footage stored in their systems was deleted, a loss that could affect at least 69 cases. announced.