Worryingly, the police occupy one of the top spots in terms of organisations at the centre of data breaches, data leaks and hacks. Victims whose data is compromised in a data protection breach deserve to be notified as soon as possible, but it’s not unheard of for an organisation to “hide” a data breach as opposed to facing up to it and dealing with it.
Reportedly, Gwent Police are to be investigated for doing just that.
News sources say that Gwent Police are being investigated for failing to inform hundreds of individuals that their data protection rights had been breached.
According to the reports, some 450 people who used an online tool to file reports have been at risk of having their data compromised by cyber-hackers due to security flaws. Some of the reports are said to be confidential, and it’s thought that hackers could have had access anytime over a two-year period.
It has transpired that the tool was decommissioned after an internal security review identified that confidential information was exposed. Worryingly, Gwent Police failed to inform the users whose data had been left vulnerable. Not only did they fail to warn users, but they also failed to file a report with the Information Commissioner’s Office (ICO) as well.
According to Sky News, Gwent Police only made the report to the ICO after Sky News contacted the force themselves.
What can victims do?
No doubt the ICO will conduct a thorough investigation into the incident. Any person whose information has been compromised may be entitled to data protection compensation.
Gwent Police should now inform users of the data protection vulnerability as soon as possible and confirm exactly what information was left vulnerable for hackers to access. Given that this is a police force we’re talking about, and with news sources already stating information that was left exposed may have been confidential, we could be talking about very sensitive information being involved in the breach.
Data protection compliance is of paramount importance for an organisation like the police. The information they hold could put people in real danger if it ends up in the wrong hands, so this is a very serious breach indeed.
Gwent Police should have reported the data protection breach to the ICO immediately, and they should have informed the users whose information was left exposed. The fact that they didn’t may land them in trouble, and when the new GDPR legislation comes into force at the end of May, future scenarios like this could see massive fines issued to offending organisations for data protection breaches, as well as for failing to disclose breaches as well.