Gwent Police has become the subject of an investigation after reports emerged that it failed to notify the regulator of a potential data breach involving reports sent in by members of the public.
The south Wales police force has now decommissioned a proprietary online tool used by members of the public to file confidential reports, after it spotted a security issue, according to Sky News.
However, by that stage, 450 members of the public had filed reports via the tool over a two-year period, meaning their details may have been put at risk.
Those individuals weren’t informed and neither was regulator the Information Commissioner’s Office (ICO) – which could be illegal under current data protection laws.
The February 2017 investigation of the online tool did not reveal any hard evidence of a cyber-attack, but only because the hosting company used was only able to provide records for the previous 24 hours.
Both the ICO and the police and crime commissioner for Gwent are now investigating.
A spokesperson for Gwent police told the news channel that the force is unable to confirm if personal data was accessed.
"However, in mitigation, for someone to access this data, they would have had to been actively looking on the specific area of the site, had a reasonable level of technical skill and known a complex URL (which was long in length and a mixture of random characters),” they reportedly claimed.
"There has been no other form of communication (complaints or any malicious activity on our security system). It was concluded that there was a high probability no data had been accessed and no risk to any individuals."
Experts were quick to criticize the police force for its lack of transparency, which some have likened to Uber’s attempts to hush-up a 2017 breach.
“By failing to discover the security flaws of their online tool and appearing to disregard security best practices, Gwent Police has acted negligently. If GDPR was already enforced, the potential repercussions for Gwent Police could be far greater as it appears that it was in violation of two requirements of the regulation,” argued Digital Guardian EMEA VP, Jan van Vliet.
“First, under the GPDR, companies are required to use appropriate measures to protect all personal data – has this information even been encrypted? Second, companies are obliged to report suspected incidents to the authorities within 72 hours – which Gwent failed to do. Gwent Police has also failed to notify victims of the potential breach, putting those affected at further risk.”