The Metropolitan Police are currently conducting an investigation into a suspected data breach resulting from unauthorised access to the system of one of its suppliers. The potential ramifications of this breach are concerning, as it may have exposed the personal and work-related information of all 47,000 officers and staff. This raises significant concerns about their safety and operational integrity. Policing London is already a stressful task, and the prospect of having your personal and professional data leaked adds an unwarranted layer of anxiety.
The occurrence of a breach through a third-party supplier, though not surprising given the rise in third-party attacks, is still quite unexpected when it affects those whom the public relies on to ensure safety and security. This serves as a reminder that no company or entity is immune to cyber attacks.
Although the specific third-party company responsible for the breach has yet to be officially confirmed, reports suggest that it originated from the organisation entrusted with producing the force’s warrant cards and ID badges. This breach resulted in the exposure of highly sensitive information, including names, ranks, photos, vetting levels, and payroll details. The operational sensitivity of this information cannot be overstated, especially when considered collectively.
The third party is at fault in this situation, but the Police face the consequences, which has severe implications for security and public trust in their credibility. A similar situation arises when attacks happen within a company’s supply chain. People tend to remember and focus on the impacted company rather than the attacked supplier. That’s why thoroughly vetting and closely monitoring suppliers is crucial. Your reputation is on the line, among other factors.
The occurrence of this breach adds to the growing concern surrounding information security within the UK police force. In the past month, 2 other police forces were in the headlines due to data breaches. In one instance, the Northern Ireland Police inadvertently posted information of approximately 10,000 staff members online for a two-hour period before taking it down. A similar incident occurred with Norfolk and Suffolk police, where police shared data about 1,230 individuals, including sensitive details about victims, witnesses, suspects, and various criminal cases such as incidents, sexual offences, assaults, thefts, and hate crimes. Although these breaches were caused by human error rather than malicious intent, it highlights the potential pathway attackers could exploit in the future, as 88% of cyber attacks stem from human errors. This stands as an important lesson for all companies in the significance of training employees on data handling and maintaining vigilance.
Many have expressed concerns regarding the Metropolitan Police’s decision to share such sensitive information with an external company. However, in today’s modern era, extensive information sharing with third-party suppliers is a common practice. While this process is deemed secure, it is imperative to continually evaluate suppliers, particularly regarding their cybersecurity measures, and remain vigilant in identifying any potential vulnerabilities they may possess. As the world progresses, it is crucial to safeguard sensitive information whilst embracing the benefits of collaboration and technological advancements.