For the second time this year cybercriminals have attacked the computer systems of a major UK police service. Email addresses and phone numbers of British Transport Police (BTP) staff were leaked after hackers compromised the newsroom section of BTP’s website.
The website’s newsroom section has been shut down as a precaution and replaced with a Tumblr feed. The exact timeline of the attack hasn’t been confirmed, but posts on the temporary page start from Monday 13thMay.
The breach was first thought to have targeted only the news section, but BTP now says a “small number” of staff emails and telephone numbers were exposed. It also says the website isn’t connected to the Force’s crime management or command and control systems, and that operational capabilities haven’t been affected.
It’s not clear yet whether hackers targeted BTP specifically, or whether it had been caught up in a non-targeted cyber attack against its website hosting supplier.
Not the first time
Earlier this year hackers struck the computer systems of the Police Federation of England and Wales (PFEW) in what appeared to be a random attempt to breach their systems.
The association, which represents close to 120,000 police officers across the country, was able to prevent the attack from spreading to its 43 individual branches and contain it to its Surrey HQ.
In that case security systems recognised the breach and sprang into action. The risk of a data breach to policing systems, however, is not something to be taken lightly. Offenders will sometimes seek retribution against police and other members of the legal system. Having their home addresses and contact details out in the public domain could lead to harassment, intimidation, or even violence against officers or their families.
Is no one safe online?
From police services to cybersecurity technology vendors, the BTP hack demonstrates with crystal clarity that no one is completely immune to cyber attack.
Hackers are smart, determined and well-organised – so much so that the institutions and technologies meant to protect us sometimes struggle to protect themselves. A criminal gang recently got past the network defences of three major anti-virus companies – nicked their pre-release software and then put it up for auction by the broader ‘hacking community’.
Size, resources, and technological capability just aren’t enough to ensure online safety. Well-known brands like Amazon, Uber, and Equifax have all been breached in recent memory. While Facebook, with billions available for security, has suffered numerous large data breaches — even after having its cyber protections questioned by regulators and their founder being grilled under oath.
Cyber risk is perpetual
Penetrating police websites and the systems of major cyber security vendors ups the ante in cybersecurity, but for most organisations a breach of some kind is a matter of when, not if.
From technical vulnerabilities to poor processes and occasional human error, organisations have hidden weaknesses that hackers will eventually uncover and exploit. Investing in the latest cyber technologies and making sure they are up-to-date is essential, but great technology is no guarantee.
The best security systems in the world are susceptible to technical vulnerabilities and occasional human error. A programme of security awareness training can strengthen your technology investments by adding a human layer to cyber defences: sensitising people to the risk of data breaches and educating them how to spot the signs that an attack is underway.
With better training and education, staff can help police your organisation’s IT estate, alert security when they detect odd or adverse behaviour on then network, and avoid being tricked phishing scams into giving away vital information.
Want to learn more about empowering employees with security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.