Written by staff writer.
London Metropolitan Police disclosed over the weekend that hackers had infiltrated the IT systems of a third-party supplier, resulting in the theft of sensitive data about police force employees.
It is understood the supplier stored information on their servers detailing the names, photos, ranks, identification numbers, vetting levels, and payroll details of London Metropolitan Police Force employees, but not details such as residential addresses or phone numbers.
“We are working with the company to understand if there has been any security breach,” reads a London Metropolitan Police Force statement. The force is the UK’s largest, employing over 47,000 officers and civilians. So far, the identity of the supplier company remains undisclosed, but UK media outlets say it had the contract to print staff passes and warrant cards.
The contractor reportedly notified the police force of the breach and is now working with agencies to assess when the attack occurred, why, and precisely what was stolen. “Security measures have been taken… as a result of this report,” the statement read.
It is the second significant security breach concerning UK police officer’s data in as many months. In July, the Police Service of Northern Ireland admitted accidentally releasing the names, ranks, and work locations of over 10,000 officers, raising real security concerns in a place where Irish Republican Army dissidents still occasionally attack the police, including attempting to assassinate a senior Northern Ireland police officer earlier this year.
Rick Prior of the Metropolitan Police Federation, the union representing London Metropolitan Police Officers, called the latest breach “a staggering security breach that should never have happened.”
“Given the roles we ask our colleagues to undertake, significant safeguards and checks and balances should have been in place to protect this valuable personal information, which, if in the wrong hands, could do incalculable damage,” he said.
Agencies involved in the investigation include the National Crime Agency (NCA), which is reportedly examining where organised criminals or terror groups could use the information to replicate staff passes. There are also concerns that the photographs of police officers working undercover and in other sensitive operational areas could be circulated.
Details on the nature of the attack remain sketchy, with little chatter on the usual grey zone forums and messaging platforms. London Metropolitan Police could not say when the breach occurred and whether it was a straightforward ransomware attack or a targeted attempt to obtain the details of police officers working in and around the UK’s biggest city.
The UK’s National Cyber Security Centre (NCSC) recently warned organisations to update systems after observing an increased incidence of attackers targeting entities with known vulnerabilities.
“Vulnerabilities are sadly part and parcel of our online world, and we see threat actors continue to take advantage of these weaknesses to compromise systems,” said Jonathon Ellison, NCSC Director of Resilience and Future Technology. The agency says some malware will inevitably infiltrate every organisation’s IT systems. However, it advises that using a ‘defence-in-depth’ approach, that is, using layers of defence with several mitigations at each layer, helps organisations detect malware early and disable it before it can cause harm, helping prevent incidents such as the potentially highly comprising theft of London Metropolitan Police employee information.
About Author
