Vodafone accidentally leaked the records of over 1,700 News UK journalists and staffers to the Metropolitan Police Service (MPS) after the cops requested the details of just one hack under investigation last year, it has emerged.
The Met demanded the call records of a Sun journalist in October last year as part of Operation Elveden – an investigation into the payment of public officials by hacks in return for private info.
However, due to what it claims was “human error” Vodafone accidentally handed over the phone records of 1,757 people working at the Murdoch-owned News UK.
Those people included “journalists, lawyers, secretarial staff and senior executives covering the years 2005-07,” according to The Times.
However, despite knowing the data had been sent to them by accident, the Met analyzed it in its entirety, building a spreadsheet of all outgoing calls made from the 1,700+ phones in question.
It was apparently months before the police notified the authorities of the error and sent a copy of the data back to Vodafone.
A spokesman for the operator told The Times in a statement that the dataset could have been corrupted.
“We wrote to the Met to express our grave concern that the police continued to retain the data released to them in error and made it clear to them that any assumption that meaningful conclusions could be drawn from any aspect of the corrupted dataset was highly questionable,” he added.
A Met spokesman, meanwhile, said the MPS had consulted with the Interception of Communications Commissioner’s Office (IOCCO), and the Information Commissioner on what it should do with the data.
“The Met agreed that it would only use the material for a policing purpose, when in the interests of justice to do so, and where people were already charged and facing criminal proceedings,” he added in a statement.
The IOCCO itself has released a summary of the incident here.
It said it had referred the case to privacy watchdog the ICO after concerns about Vodafone’s lawful retention of data for business purposes, amongst other matters.
It added:
“We required further information from the MPS in relation to the review, use, retention and security of the data within the investigation. We required the MPS to put in place measures so that the data disclosed in error could not be accessed, reviewed or disseminated outside of Operation Elveden.”
Martin Sugden, managing director of DLP vendor Boldon James, argued that such incidents are becoming increasingly commonplace.
“With human error accounting for 50% of breaches according to the ICO, organizations need to both raise user awareness of the sensitivity of the data that they handle and deploy technology that can prevent sensitive data being released in error,” he added.
“Vodafone was lucky that the recipients of this data were the police and not someone with less lawful intentions.”