Met should thoroughly investigate cyber security practices, say experts

Scotland Yard said it was made aware of ‘unauthorised access to the IT system of one of its suppliers’.

Harry Stedman
Sunday 27 August 2023 12:22 BST
Scotland Yard is looking into a potential data breach (Kirsty O’Connor/PA)
Scotland Yard is looking into a potential data breach (Kirsty O’Connor/PA) (PA Wire)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Metropolitan Police chiefs should carry out a thorough investigation of the force’s cyber security practices following an IT breach, industry experts have said.

Scotland Yard said on Saturday that it had been made aware of “unauthorised access to the IT system of one of its suppliers”.

The company in question had access to names, ranks, photos, vetting levels and pay numbers for officers and staff.

The force is now working with the company to understand if there has been any security breach relating to its data, and was unable to confirm how many personnel might be affected.

Cyber security experts said the possible data breach is “extremely worrying” but unsurprising as cyber attackers frequently target third-party companies.

The Met Police are extremely good at keeping their own data secure, but they do use third parties. As they have to use these parties, if they aren’t up to date with their own security then that becomes a weakness that could be targeted

Jake Moore, ESET

Jake Moore, global cyber security adviser for software firm ESET, told the PA news agency: “This is another extremely worrying episode of what we seem to be seeing quite a lot of this year.

“It’s just worrying to think these police forces are coming under attack in what I would suggest are relatively simple ways.”

Mr Moore said the current suspected breach appears to have been “a targeted attack to test the security within the supply chain” where criminals were “looking for the weakest link”.

He added: “The Met Police are extremely good at keeping their own data secure, but they do use third parties.

“As they have to use these parties, if they aren’t up to date with their own security then that becomes a weakness that could be targeted.”

Mr Moore suggested that current cyber security systems used by police forces, coupled with a lack of resources, may have led to flaws opening up.

He said: “It’s not impossible to stop this. It’s to do with understanding where all your data is.

“When you amalgamate systems, particularly when police forces join together, they tend not to understand completely where all their data is or who has access to it, and that can cause problems down the line.

“They need to do a complete analysis on who has access, why they have access to their data, and to reduce all of those weak points as best they can.

“It will take time – not necessarily too much money – but it will take resources and people power to mitigate this in the future, and hopefully something like this will shake the boots of all the chiefs around the country to wake up and act faster.”

We do have best practices and guidelines in the industry on how to protect the systems, so maybe it comes down to someone conducting an external audit in the aftermath to see whether or not they are following these practices

Professor Kevin Curran, Ulster University

Kevin Curran, professor of cyber security at Ulster University, agreed that the breach is likely to be down to “a third-party supplier issue”.

He said: “I’m not surprised really – data breaches are such a common occurrence and police are no exception.

“They have the same resources as a lot of other companies, where any data systems which have external access to the internet are a risk.”

Mr Curran said questions need to be asked about why third parties have access to such information, and if the Met has the right data classification methods in place.

He added: “It boils down to resources. Every organisation has to allocate a percentage of their IT budget to cyber security.

“It’s a publicly-funded organisation so there’s only a finite amount of resources you have, but we do have best practices and guidelines in the industry on how to protect the systems, so maybe it comes down to someone conducting an external audit in the aftermath to see whether or not they are following these practices.”

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in