Unencrypted form lying on the website for months made it vulnerable to hackers looking for sensitive personal details
The Information Commissioner’s Office (ICO) has said that the Child Exploitation and Online Protection Centre (CEOP) and the Serious Organised Crime Agency (SOCA) – its parent organisation – have taken action after the discovery of a security loophole on CEOP’s website.
The ICO said that an investigation had revealed that an online form on the CEOP’s website had been insecure for several months. However the communications watchdog added that its probe did not find any hack attempts on the website.
The ICO came to know about the gitch when an individual complained about the glitch on the website that handles queries on sensitive topics such as child exploitation. The person alerted the ICO on 6 April, saying that the online form on the CEOP website was not encrypted, which means that some data on the data would have been vulnerable while they were being transmitted to CEOP’s servers.
The ICO said, "Both [SEOP and SOCA] organisations have now taken action to improve the security of the CEOP website in order to keep the personal information they handle secure.
The ICO has made the two organisations sign an undertaking that such incidents do not occur in future.
Acting Head of Enforcement Sally Anne Poole warned that organisations must make sure that any personal data transmitted electronically is adequately protected.
"While there is no evidence to suggest that attempts have been made to access any of the information, it is highly likely that it would have been sensitive in nature and should not have been compromised by insufficient IT security measures.
"We are pleased that CEOP and SOCA have taken action to make sure that all of the information sent in by members of the public remains secure," Poole added.
The ICO also said that CEOP chief executive officer Peter Davies and SOCA Director General QPM Trevor Pearce, have jointly signed an undertaking to ensure that CEOP’s website is regularly tested so that the personal data they process remains secure and potential weaknesses are immediately identified.
CEOP will also introduce recommendations included in a recent Information Security Review and continue to make sure that they are followed, said the ICO.
The watchdog said that another undertaking has been signed today by Royal Liverpool and Broadgreen University Hospitals NHS Trust. The trust breached the Data Protection Act by losing the personal information of 49 patients in two separate incidents earlier this year.
"Royal Liverpool and Broadgreen University Hospitals NHS Trust has now agreed to make significant improvements to the way it keeps information secure. The trust will also undergo an audit from the ICO in order to further improve their compliance with the Act," said the ICO.