Three takeaways from the Greater Manchester Police data breach
Greater Manchester Police was fined £150,000 by the Information Commissioner’s Office (ICO) earlier this year, following a data breach in which unencrypted DVDs of victim interviews were lost in the post.
The DVDs were sent via recorded delivery to the National Crime Agency (NCA), however they never reached their intended destination. It has been confirmed that the interviews included the victims’ names and open discussions about the crimes.
In the aftermath of this breach, Greater Manchester Police has examined its own data security policies – however there is also opportunity for all UK police services to do likewise to ensure the same breach doesn’t happen twice, including three key areas for focus.
1. Promote security for inter-agency communications
This incident occurred during a routine transfer of data between two public sector organisations that are both governed by the same data handling framework. This should be a stark warning to police services to examine all areas where sensitive data is shared, even if it’s with colleagues or affiliate organisations. Familiarity can also breed complacency and it’s not acceptable for any organisation to allow unsecure processes to continue ticking along in the background simply because something has never gone wrong before.
Once these processes have been examined, it is then crucial that security updates are made. In this instance, for example, a secure collaboration solution would have prevented media files from being lost in the post. Users at the police service would have been able to load the files into a folder that would only be shared with the relevant users at NCA. Audit logs of all actions taken by these parties would also extend the level of control the data owner has over this sensitive data, to ensure correct handling at all times. Additionally, it almost goes without saying that the encryption applied as part of a secure online collaboration platform is absolutely required to protect sensitive data.
2. Update processes
The Greater Manchester Police data breach hangs on two vulnerabilities: postal delivery and unencrypted DVDs.
Postal delivery is inherently unsecure, even when opting for recorded delivery. Once the item has been passed to the postal service, the data owner entirely relinquishes control over it. This, then, leaves the item open to interception during delivery – whether intentional or because the package has been misplaced – and upon arrival. Even when a signature is required as part of delivery, often a package isn’t signed for by the person whose name is on it. Items are frequently left with receptionists and colleagues, needing to be passed through the organisation to reach the intended recipient. Finally, the data owner is then unable to control who the item is further shared with after this point, trusting the intended recipient to handle it correctly.
It is clear to see that this process is open to a whole host of vulnerabilities, not least human error.
Again, technology can help to remedy this. Whether sharing data via encrypted large file transfer or in a secure online collaboration, you remove the ‘middle men’ of delivery services and receptionists who can pose a threat to sensitive information (often unintentionally). Additionally, the extended control of audit logs and user permissions (e.g. preventing local downloads) goes further to minimise risk to sensitive data. Added to this, the ability to expire files for one or multiple recipients means individuals can only access this data for as long as is necessary.
3. Focus on secure transfer of large files
The second vulnerability of the Greater Manchester Police data breach was the use of unencrypted DVDs to share large media files. Of course, the first point this raises is why protection wasn’t applied to the discs – but there is a wider issue here for all police forces: the secure handling of large, often digital, files.
Victim and witness interviews are not the only large files that police services handle, as often members of the public submit evidence such as photos and CCTV footage as part of investigations. With the rise of dashcams being installed in cars, this is only going to increase.
Police services therefore need to find ways to securely receive large files, and then transfer them internally and with approved external recipients. As the demand for this increases, they will inevitably need to rely on information security technology to reduce costs, improve efficiency and protect sensitive data. Without considering the security risks, sending DVDs via recorded delivery must soon, if it’s not already, become an untenable cost to police services. Technology can help to reduce this cost, as well as provide immediate access to files for recipients.
Of course, the Greater Manchester Police data breach was a concerning event, however it's up to individual police services to also use it as a constructive lesson to improve their own processes and systems to improve data protection for the citizens they serve.