Hackers allegedly stole hundreds of reports using a security flaw in an online tool used by the police.
In normal circumstances, police are the investigating authority but Gwent County Police in the United Kingdom is in hot water and being investigated for not informing complainers that reports they filed have been stolen by hackers.
Apparently, Gwent Police used an online tool allowing the public to file reports against crimes or other incidents to them but little did they know a critical security flaw existed in the tool that led hackers to steal confidential reports filed by 450 people in the last two years.
According to Sky News report, authorities removed the online tool from the server after identifying the breach which took place in February 2017 but they did not inform the victims. The UK’s Information Commissioner’s Office (ICO) has taken strict notice and currently investigating the incident.
Sky News also found out that the online tool used by the public to file reports was developed by force’s digital development team and considered to be unique to the force. On the other hand, Gwent Police spokesperson did not confirm if the breach took place.
“There has been no other form of communication (complaints or any malicious activity on our security system). It was concluded that there was a high probability no data had been accessed and no risk to any individuals,” said the spokesperson.
In an email conversation with HackRead, Jan van Vliet, VP and GM, EMEA at Digital Guardian said that: “Public and private organizations alike have a duty of care, not to mention legal obligation, to protect data. By failing to discover the security flaws of their online tool and appearing to disregard security best practices, Gwent Police has acted negligently.”
“If GDPR was already in enforcement, the potential repercussions for Gwent Police could be far greater as it appears that it was in violation of two requirements of the regulation. First, under the GPDR (EU General Data Protection Regulation), companies are required to use appropriate measures to protect all personal data – has this information even been encrypted?” Second, companies are obliged to report suspected incidents to the authorities within 72 hours – which Gwent failed to do.”
“The incident also reminds us of the dangers of not notifying the affected parties. Gwent Police has failed to notify victims of the potential breach, putting those affected at further risk. If personal details got into the wrong hands, hackers could have targeted victims through phishing and social engineering attacks – and the victims would have had no reason to believe anything was suspicious.”
Hiding data breaches has become a habit
This will be not the first time that an institution hit by data breach decided not to inform victims. Last year in July, Equifax suffered a massive data breach in which personal and sensitive details of 143 million (now 145.4 million) Americans were stolen however the company only informed customers in September.
Moreover, Uber suffered a data breach in October 2016 in which hackers stole 75 million accounts of its registered users but the company did not inform customers until Bloomberg reported that Uber paid hackers $100,000 to stop them from leaking the data online.
How to know if your credentials have been compromised
The IT security community has been working on tools to overcome the habit in which companies do not inform victims about data breaches. In December, University of California San Diego (UCSD) developed “Tripwire Tool,” a prototype tool that would identify if websites have been compromised and suffered data breaches.
In a similar development, Mozilla announced its joining hands with HaveIBeenPwned.com (HIBP), a popular data breach notification website to send an in-browser alert to Firefox browser users whether the website they are visiting was previously hacked and if their login credentials have been involved in a data breach.
Source: Sky News