Police forces across the UK have ceased all work with the country’s largest private forensics provider, after a ransomware attack destroyed or locked essential case data held on the company’s systems.
Exact details and the extent of damage haven’t been revealed, but the company Eurofins processes more than 70,000 cases each year, including murder and terrorism offences.
For the past fortnight, regional police forces have had to submit requests for forensic work to a national coordinating group team, which is managing outsourcing to prioritise the most serious cases.
The company, which carries out DNA analysis, ballistics, toxicology, and computer forensics, uncovered a ransomware attack on 2 June. Police across the country have suspended all work with the company as a result, believed to account for more than half of all of outsourced case work.
Police services across the UK have had a cap placed on the amount of forensic work they can undertake, and a police Gold Group response has been convened to manage the growing backlog – a step only taken in the case of major incidents and emergencies.
Eurofin is by far the largest private provider of forensic services, and others reportedly don’t have the capacity to take on the extra casework, which could lead to delays in forensic testing and scheduling of court cases.
Attacks on the law enforcement supply chain are on the rise
Eurofins said fast action had been taken to contain the attack and, so far, there is no evidence that confidential client data had been stolen or transferred. Having been stung by a series of recent attacks however, the country’s police services aren’t taking any chances.
Private forensic service suppliers have been hit by a number of problems recently, including the ongoing criminal investigation into alleged drug test manipulation at Manchester’s Randox Testing Services laboratory.
It’s always unsettling when law enforcement agencies are breached. It calls into question their own security readiness, while jeopardising legal proceedings, and risking having otherwise watertight convictions over-turned.
If the systems the police rely on aren’t cyber-safe, what systems are?
Hacking the detectives
IN MAY, cybercriminals compromised the newsroom section of the British Transport Police, where they found email addresses and phone numbers of BTP staff.
The breach was first thought to have targeted only the news section, but BTP has revealed that a “small number” of staff emails and telephone numbers were exposed. It also says the website isn’t connected to the Force’s crime management or command and control systems, and that operational capabilities weren’t affected.
IN MARCH, hackers struck the computer systems of the Police Federation of England and Wales (PFEW) in what appeared to be a random attempt to breach their systems.
The association, which represents close to 120,000 police officers across the country, was able to stop the attack from spreading to its 43 individual branches and contain it to its Surrey HQ.
In that case security systems recognised the breach and sprang into action. The risk of a data breach to policing systems, however, is not something to be taken lightly.
Offenders will sometimes seek retribution against police and other members of the legal system. Having their home addresses and contact details out in the public domain could lead to harassment, intimidation, or even violence against officers or their families.
IN JUNE, Hackers hit the US Customs and Border Protection (CBP) agency earlier this month, accessing photos taken of travellers and their cars as they moved through road entry points.
Nearly 100,000 people had their images exposed, which included photos of license plates and the cars they were driving.
Attackers focused on one of the CBP’s sub-contractors, which was holding the images on its own IT systems.
It isn’t clear why the un-named company held the data on its systems, but the CBP says it believes they ‘…violated mandatory security and privacy protocols outlined in their contract.”
Managing cyber risk in the supply chain
Following the breach CBP removed all software and devices related to lost data, and launched an audit of all work completed by the sub-contractor. It’s since notified other law enforcement agencies and asked its own internal affairs office to investigate the incident.
Police and law enforcement are mandated to act quickly and robustly when a breach occurs anywhere in their supplier network.
In the private sector, tolerance for supplier failure is rapidly disappearing wherever it occurs.
While the stakes are commercial rather than legal, customers and consumers hold brands to account for breaches.
The fact that a breach is enabled by negligent action or inaction on the part of a company supplier doesn’t matter. The organisation that contracts the supplier and gives it access to sensitive data gets the blame.
Strengthening security at every link
Whether it’s your own organisation or one you contract out to, every contractor and subcontractor working with customer or proprietary data needs to take ownership of cybersecurity, and protect the sensitive information it stores, receives, or transmits.
Systems need the latest technological defences, but as we see again and again, it’s not a matter of if a system will be breached – it’s a matter of when.
Organisations can supplement their infosec investments by empowering their own people: placing employees on the lookout for cyber attacks and the signs that a hacker is trying to breach corporate networks or personal devices.
Cyber risk as a daily management challenge and enlisting those at the front line to help is one of the most effective ways to stay secure.
Want to know more about security awareness training? Why not sign up for a free demo and find out how we’re already helping government and public sector organisations dramatically improve employee security awareness.