UK police forces experienced 2,386 data breaches in 2020, according to data gathered by VPNoverview.
The information was made available following a Freedom of Information request, which 31 of the UK’s 45 police forces responded to, and includes several concerning details.
For example, the report revealed that police stations suffered 299 data breaches on average between January 2016 and April 2021.
Although it doesn’t specify how those incidents occurred, it confirmed that number covers both criminal hacking and human error.
We wouldn’t be surprised if at least some of the incidents involved ransomware, because cyber criminals are increasingly targeting essential services.
If a police force is locked out of its systems, it’s not just a case of business disruption but a risk to public safety – and as such, they may be more easily persuaded to ignore experts’ advice and pay the ransom.
Meanwhile, malicious insiders are another likely suspect. Police officers and staff have access to vast amounts of sensitive data, and there is always the risk of someone looking up someone’s file without a legitimate reason.
Indeed, a separate Freedom of Information request from 2019 found that 237 UK police employees were disciplined for doing that, and 11 people were sacked.
Who are the worst offenders?
The VPNoverview study revealed that Lancashire Constabulary recorded the most incidents in 2020 (594).
Sussex Police was second (334), followed by Humberside Police (230), the Police Service of Northern Ireland (194) and Durham Constabulary (125).
Meanwhile, Cheshire Police, which listed its figures in financial years, reported that it suffered 289 data breaches in 2019–2020.
By contrast, the Metropolitan Police and Dorset Police claimed to have suffered no data breaches since at least 2016.
As promising as this sounds, it may be evidence of incomplete records or a loose definition of ‘data breach’ rather than effective data protection practices.
After all, security incidents are a constant threat for all organisations – and this is doubly so for the likes of police forces, which process large volumes of sensitive data – and is why experts such as ourselves urge organisations to prioritise both information security and incident response.