England’s second largest police force is still running a worryingly high number of Windows XP PCs while many others have refused to disclose figures, according to a new Freedom of Information (FOI) request.
Most of the UK’s police forces, including Police Scotland, refused to tell the BBC how many XP machines are still operational, fearing it would put them at greater risk of attack.
However, Greater Manchester Police claimed that over 1500 PCs were still on the legacy operating system, amounting to around 20% of the total.
"The remaining XP machines are still in place due to complex technical requirements from a small number of externally provided highly specialized applications," a spokeswoman told the broadcaster.
"Work is well advanced to mitigate each of these special requirements within this calendar year, typically through the replacement or removal of the software applications in question.”
There’s no news on how these computers are being secured, although virtual patching typically helps to protect machines running unsupported software and systems until they can be upgraded.
Otherwise, they could represent a serious security risk, being vulnerable to covert info-stealing raids and ransomware attacks, among other threats.
Cleveland Police, the Police Service of Northern Ireland and the Civic Nuclear Constabulary all claimed less than 1% of machines run XP. Although this reduces their attack surface considerably, attackers theoretically only need to compromise one networked machine to do their worst.
The Metropolitan Police refused to respond to the FOI request, although it was revealed in June that 18,000 PCs were running the unsupported Microsoft OS at the UK's biggest force.
Elsewhere there was a more positive picture, with Gwent Police, North Wales Police, Lancashire Constabulary, Wiltshire Police and City of London Police all claiming to have no computers running XP.
David Emm, Kaspersky Lab principal security researcher, described the findings as 'alarming'.
“The fact that Microsoft issued emergency updates for XP and other unsupported systems in response to the WannaCry outbreak shouldn’t lure organizations into a false sense of security: there’s no guarantee that this would happen for future attacks,” he added.