Metropolitan Police chiefs should carry out a thorough investigation of the force’s cyber security practices following an IT breach, industry experts have said.
Scotland Yard said on Saturday that it had been made aware of “unauthorised access to the IT system of one of its suppliers”.
The company in question had access to names, ranks, photos, vetting levels and pay numbers for officers and staff.
The force is now working with the company to understand if there has been any security breach relating to its data, and was unable to confirm how many personnel might be affected.
Cyber security experts said the possible data breach is “extremely worrying” but unsurprising as cyber attackers frequently target third-party companies.
Jake Moore, global cyber security adviser for software firm ESET, told the PA news agency: “This is another extremely worrying episode of what we seem to be seeing quite a lot of this year.
“It’s just worrying to think these police forces are coming under attack in what I would suggest are relatively simple ways.”
Mr Moore said the current suspected breach appears to have been “a targeted attack to test the security within the supply chain” where criminals were “looking for the weakest link”.
He added: “The Met Police are extremely good at keeping their own data secure, but they do use third parties.
“As they have to use these parties, if they aren’t up to date with their own security then that becomes a weakness that could be targeted.”
Mr Moore suggested that current cyber security systems used by police forces, coupled with a lack of resources, may have led to flaws opening up.
He said: “It’s not impossible to stop this. It’s to do with understanding where all your data is.
“When you amalgamate systems, particularly when police forces join together, they tend not to understand completely where all their data is or who has access to it, and that can cause problems down the line.
“They need to do a complete analysis on who has access, why they have access to their data, and to reduce all of those weak points as best they can.
“It will take time – not necessarily too much money – but it will take resources and people power to mitigate this in the future, and hopefully something like this will shake the boots of all the chiefs around the country to wake up and act faster.”
Kevin Curran, professor of cyber security at Ulster University, agreed that the breach is likely to be down to “a third-party supplier issue”.
He said: “I’m not surprised really – data breaches are such a common occurrence and police are no exception.
“They have the same resources as a lot of other companies, where any data systems which have external access to the internet are a risk.”
Mr Curran said questions need to be asked about why third parties have access to such information, and if the Met has the right data classification methods in place.
He added: “It boils down to resources. Every organisation has to allocate a percentage of their IT budget to cyber security.
“It’s a publicly-funded organisation so there’s only a finite amount of resources you have, but we do have best practices and guidelines in the industry on how to protect the systems, so maybe it comes down to someone conducting an external audit in the aftermath to see whether or not they are following these practices.”