Gwent Police is being investigated after failing to inform hundreds of people that hackers may have accessed their confidential reports to the force.
Sky News has learned that up to 450 people who filed reports through an online tool over a two-year period could have been put at risk by hackers due to security flaws.
Although the tool was decommissioned after an internal security review discovered that confidential information was being exposed, the force did not inform the individuals who were affected.
In what may amount to a breach of its responsibilities under the Data Protection Act, the force also failed to notify the Information Commissioner’s Office until it was contacted by Sky News.
This week, a spokesman for the force said: “Gwent Police has recently contacted the Information Commissioner’s Office (ICO) and confirmed that formal notification will be provided for consideration.
“Data integrity is of paramount importance to Gwent Police and we continually review our governance procedures to minimise the risk of data breaches.”
The potential breach was discovered in February 2017, when the force said an immediate “investigation was commenced to establish whether any data had been accessed”.
However, the investigators found that the web server logs from the hosting company which could reveal whether hackers had accessed the reports only stored access information covering the previous 24 hours.
An ICO spokesperson confirmed: “We’ve been made aware of an incident involving Gwent Police and will be making enquiries.”
The Police and Crime Commissioner for Gwent, Jeff Cuthbert, told Sky News he would also be investigating the incident.
“I am responsible for monitoring and scrutinising the performance of Gwent Police. I will be asking the chief constable for a full and comprehensive report on data breaches and the process in place for identifying and acting upon them.
“Moving forward, I will seek reassurance that the protection of personal data of the public we serve is of paramount importance and that any lessons learnt from previous breaches are implemented with immediate effect.”
A spokesperson for the force told Sky News: “We are not able to confirm whether this data had been accessed.
“However, in mitigation, for someone to access this data, they would have had to been actively looking on the specific area of the site, had a reasonable level of technical skill and known a complex URL (which was long in length and a mixture of random characters).
“There has been no other form of communication (complaints or any malicious activity on our security system). It was concluded that there was a high probability no data had been accessed and no risk to any individuals.”
Gwent Police’s failure to report the potential breach stands in stark contrast to a breach at Uber, where the company is accused of paying a hacker to conceal the confirmed theft of information belonging to 57 million customers.
Speaking to Sky News, Raef Meeuwisse, the author of Cybersecurity for Beginners, said: “The response of any organisation to a potential data breach should always reflect the value or sensitivity of the information involved.
“In this case, it is surprising that the team dealing with this on behalf of Gwent Police do not appear to have considered this a notifiable incident.
“Gwent Police did not have the means to verify if any copy of the sensitive data posted on the internet had been taken.
“Despite this, they also chose not to contact the 450 people or organisations to alert and support them and they also decided not to report the matter to the ICO or any other entity.”
Mr Meeuwisse, who has been involved as a consultant in many high-profile breach responses during his career, added: “Although it is good news that it was a security review for Gwent Police that identified the issue, the process from that point onwards seems to have fallen over.”