Cyber Incident Victim: Gwent Police

Gwent Police discovered a potential data breach in February 2017 during an internal security review, which revealed that a custom web tool developed by their digital team had exposed confidential reports submitted by members of the public. The tool, understood to be unique to the force, inadvertently made sensitive information accessible for up to two years. An immediate investigation was launched to determine whether any data had been accessed, and the tool was promptly decommissioned. Despite identifying the vulnerability, the force did not notify the approximately 450 affected individuals or organizations whose data might have been compromised. Gwent Police also delayed formal reporting to the Information Commissioner's Office (ICO) until contacted by Sky News over a year later in March 2018, a lapse that potentially violated Data Protection Act obligations regarding breach disclosure timelines.

The exposed data consisted of confidential public reports, though the force asserted that accessing it required advanced technical skills and knowledge of a complex, lengthy URL containing random characters. Gwent Police stated they found no evidence of malicious activity or complaints indicating unauthorized access and concluded there was a high probability no data had been exfiltrated. However, they acknowledged being unable to definitively confirm whether any information was accessed. Following media inquiries, the force belatedly notified the ICO and committed to formal reporting procedures. Police and Crime Commissioner Jeff Cuthbert announced plans to scrutinize the incident, demand a comprehensive report from the chief constable, and ensure immediate implementation of improved data protection measures. The ICO confirmed it would investigate after receiving delayed notification. Cybersecurity experts criticized the force’s failure to proactively classify the exposure as a notifiable incident given the sensitivity of the data involved.