Lessons in patching a leaky bucket: UK policing and data security

This article was co-written by Sofia Liemann Escobar.

Greater Manchester Police (GMP) recently confirmed that officer details have been compromised following a ransomware incident on a third-party supplier.

Though financial information is not believed to be at risk, the names of various police officers could potentially be released. The stolen data from the Stockport-based supplier appears to not only contain the names, but also pictures of police officers. This may be particularly dangerous for undercover officers, whose identities are not publicly known.

The case bears some similarities with another recent supply-chain attack targeting UK law enforcement. In August, the Met Police were placed on high alert following a security breach of one of their IT suppliers.

The names, ranks, photos, and vetting levels of 47,000 personnel were at risk of potentially being leaked into the public domain. The incident was referred to both the National Crime Agency and the Information Commissioner’s Office, responsible for enforcing the UK’s data protection regulations.

Further data breaches affecting police forces across the UK have been seen in recent months. Most notably, the names and locations of over 10,000 officers and civilian personnel of the Police Service of Northern Ireland (PSNI) were made public when a Freedom of Information Request revealed more than intended. The data was visible on their website for up to three hours before it was removed.

Shortly after this incident, the PSNI also disclosed that earlier in July they had suffered another data breach when a police laptop was stolen.

The accidental disclosure of personal details was also recently seen in Norfolk and Suffolk, where the police force disclosed that a technical glitch led to raw data being included in responses to Freedom of Information requests. Data from the breach included “personal identifiable information on victims, witnesses, and suspects, as well as descriptions” of about 1,230 individuals.

Regardless of whether the data breaches occurred because of cybercriminal activity or human error, these incidents are concerning as they highlight the risks of personal information being compromised.

The release of such information to the public may facilitate the targeting of law enforcement officers by criminal organisations.

This is particularly the case for the PSNI breach, given the historical and political context in Northern Ireland. Criminal reprisal is an ever-present concern as extremism remains a serious threat. Even today, many police officers prefer for their professions to remain unknown amongst family and friends.

In March, the UK government raised the terrorism threat level from ‘substantial’ to ‘severe’ for Northern Ireland. This was preceded by the attempted murder in Omagh of an off-duty police officer. News of the PSNI breaches have therefore been received with great concern for the safety of officers.

The frequency of data breaches amongst law enforcement organisations seen in recent weeks reveals that more caution is needed in the handling of personal and sensitive data. While the exposure of such data is worrying for the general public, the subsequent risks attached to it increase significantly in the cases of individuals who also carry out high risk jobs across both the public and private sector.

Appropriate security controls such as data classification, a Data Loss Prevention tool (DLP) to prevent data exfiltration, clarity in release processes, and restrictions to access sensitive data can help prevent some of the human error instances seen in recent incidents involving Freedom of Information requests.

Beyond law enforcement, these incidents serve as a reminder of the importance of data governance in the digital age for all types of organisations and across all sectors.

As the storage, management, and processing of such data becomes vital to the day-to-day operations of a range of entities, it is the responsibility of every organisation to bolster their data stewardship capabilities. Failure to do so, as shown by the cases across UK police forces, could potentially threaten the safety and security of individuals whose personal information is breached.

Data is not something that simply remains in the virtual world, its misuse and lack of protection can have real-life repercussions.

Advancements in Automated Detection and Response – September AI Bulletin

As highlighted above, sensitive data and PII held by public and private organisations are a major target of cyber criminals.

Particularly in the case of public entities, ransoming an organisation may not be the most damaging form of attack, but instead the major data exfiltration that takes place and leaves personnel vulnerable is.

Overall, ransomware groups such as LockBit, Cl0p and Vice Society, are getting more savvy and harder to detect.

In recent months, according to industry sources, ransomware groups have diversified their tactics to include exploiting zero day vulnerabilities, as well as the traditional initial access brokerage they procure. This is ultimately challenging organisations to bolster their human centric security around phishing and emphasises the importance of patch deployment times and enhanced detection and response capabilities.

Automation has a key role to play in this advancement in monitoring, triage and response, but it is down to vendors to innovate and customers to identify the right products to buy.

Whilst it is incredibly difficult for a customer to verify the extent to which automation plays a role in a vendor’s product, the proof ultimately has to be in the pudding. If vulnerability scanning or monitoring and triage times are slow, cumbersome, or manual, organisations should consider upgrading or changing products.

Managed Detection and Response (MDR) capabilities are critical in empowering organisations with visibility of their network and the more automation included in the products, the better response time will be to limit the impact of a breach.

The market is flooded with vendors offering Artificial Intelligence (AI) in their products and with the advancements in generative AI there is the potential for tools to be of great use to customers who don’t have 24/7 IT manual response capabilities.

However, it also doesn’t mean customers can rest on their laurels.

Cyber criminals will attempt to hide in plain sight on networks by gaining access privileges through an already established account and operating relatively normally to prevent detection. Monitoring administrative activity very closely is critical, and ensuring that automated tools have visibility of privileged account logs can help to detect suspicious behaviour.

Furthermore, long, random, rotated and MFA protected (with a physical key) passwords for privileged accounts are a huge headache for attackers. Automation might speed detection and response up, but organisations have to consider their controls from a birds eye view to gain an understanding of potential opportunities threat actors might exploit.

Public and private entities should be consistently improving and investing in their cyber security controls as a key enabler of operations. The sheer amount of police infrastructure that has been victim in the last few months to data exfiltration shows a stark and ruthless picture of the digital environment and the severity of data breaches.

Investing in automated tools and establishing and resourcing strict patching policies should be a top priority, especially for public entities holding highly sensitive data.