Gwent Police failed to inform up to 450 people that hackers may have accessed their confidential information after it found that an online tool that allowed citizens to report incidents to the Police was exposed to hackers.
In February last year, Gwent Police discovered that an online tool that allowed citizens to file reports was exposed online and could have been accessed by anyone in possession of the link to the online tool.
Following the discovery, Gwent Police launched an investigation to verify if the online tool was illegally accessed by any third party, but the investigation was inconclusive as the web server logs from the hosting company only stored access information covering the previous 24 hours.
As reported by Sky News, the online tool contained confidential information of up to 450 people who had used it to report incidents in the two-year period prior to the discovery of the breach. Even though Gwent Police decommissioned the tool after completing its investigation, it failed to inform affected people that their confidential information may have been accessed by third parties.
In fact, Gwent Police even waited for over a year before informing the Information Commissioner's Office about the data exposure. According to Sky News, the disclosure was made only after the force was contacted by the news agency.
"Gwent Police has recently contacted the Information Commissioner's Office (ICO) and confirmed that formal notification will be provided for consideration. Data integrity is of paramount importance to Gwent Police and we continually review our governance procedures to minimise the risk of data breaches," said a spokesman for Gwent Police.
The force added that while it could not confirm if the online tool was accessed by third parties, accessing the tool would have been a near-impossible task for any hacker.
"For someone to access this data, they would have had to been actively looking on the specific area of the site, had a reasonable level of technical skill and known a complex URL (which was long in length and a mixture of random characters).
"There has been no other form of communication (complaints or any malicious activity on our security system). It was concluded that there was a high probability no data had been accessed and no risk to any individuals," it added.
Lee Munson, a security researcher at Comparitech, told SC Magazine UK today that while the news of Gwent Police's online tool getting breached is hardly shocking given the number of other breaches, what is shocking is that "it went undetected for two years and then, when it was discovered, the incident response was sadly lacking".
"Not only did the force ignore the fact that it should have informed the Information Commissioner's Office but, worse, it did not consider the 450 or so people who may have had personal or other sensitive information compromised.
"Worse than that, the assertion from a spokesperson that it was highly unlikely that a potential attacker could have swiped any data is dangerous thinking which may lull affected persons into thinking they need do nothing," he said.
Commenting on that fact that the breach remained undiscovered for over two years, Javvad Malik, security advocate at AlienVault, told SC Magazine UK that it is important for organisations to have appropriate threat detection controls in place that can identify when a breach has occurred as soon as possible so that the appropriate response can be taken.
"The response will involve isolating infected systems, assessing damage, and equally important, issuing relevant notifications. This could be to partners, shareholders, regulators, and customers. This is of particular importance where personal information is disclosed and will be an area that will be scrutinised with more rigour once GDPR comes into force," he added.
As far as the impact of GDPR is concerned, Jan van Vliet, VP and GM, EMEA at Digital Guardian, said:"If GDPR was already in enforcement, the potential repercussions for Gwent Police could be far greater as it appears that it was in violation of two requirements of the regulation. First, under the GPDR, companies are required to use appropriate measures to protect all personal data – has this information even been encrypted? Second, companies are obliged to report suspected incidents to the authorities within 72 hours – which Gwent failed to do.
"The incident also reminds us of the dangers of not notifying the affected parties. Gwent Police has failed to notify victims of the potential breach, putting those affected at further risk. If personal details got into the wrong hands, hackers could have targeted victims through phishing and social engineering attacks – and the victims would have had no reason to believe anything was suspicious," he added.