Gwent Police in South Wales is facing an investigation over claims that it covered up a serious security flaw that could have endangered the lives of as many as 450 people.
The flaw in the online reporting tool was uncovered after two years in an internal security review, but the users of the tool were not informed. It has since been decommissioned.
The claims have been made today by Sky News, which adds that the police force failed to notify the Information Commissioner's Office (ICO). In a statement to Sky News, the force said that it would be belatedly contacting the ICO - but only after the scandal had been uncovered.
"Gwent Police has recently contacted the ICO and confirmed that formal notification will be provided for consideration," read the statement.
It continued: "Data integrity is of paramount importance to Gwent Police and we continually review our governance procedures to minimise the risk of data breaches."
The breach was discovered in February 2017 and the organisation claims that an investigation was immediately started to ascertain whether any data had been compromised. However, when the investigation was finally started the server logs had already been deleted, according to Sky News.
The insecure tool has been developed by Gwent Police's own in-house ‘digital development team'.
In addition to an investigation by the ICO, Gwent Police is now also facing a probe by the Police and Crime Commissioner for Gwent, Jeff Cuthbert.
In the statement to Sky News, Gwent Police claimed that for any data to have been compromised would have required "a reasonable level of technical skill".
They told Sky: "For someone to access this data, they would have had to been actively looking on the specific area of the site, had a reasonable level of technical skill and known a complex URL (which was long in length and a mixture of random characters).
"There has been no other form of communication (complaints or any malicious activity on our security system). It was concluded that there was a high probability no data had been accessed and no risk to any individuals."
Jan van Vliet, a vice president at security firm Digital Guardian, suggested that post-May 2018 the cover-up would almost certainly be a top priority for the ICO.
"Public and private organisations alike have a duty of care, not to mention legal obligation, to protect data. By failing to discover the security flaws of their online tool and appearing to disregard security best practices, Gwent Police has acted negligently," said van Vliet.
He continued: "If GDPR was already in enforcement, the potential repercussions for Gwent Police could be far greater as it appears that it was in violation of two requirements of the regulation.
"First, under the GPDR, companies are required to use appropriate measures to protect all personal data - has this information even been encrypted? Second, companies are obliged to report suspected incidents to the authorities within 72 hours, which Gwent failed to do.
"The incident also reminds us of the dangers of not notifying the affected parties. Gwent Police has failed to notify victims of the potential breach, putting those affected at further risk.
"If personal details got into the wrong hands, hackers could have targeted victims through phishing and social engineering attacks - and the victims would have had no reason to believe anything was suspicious."
Why does Facebook store "my entire call history with my partner's mum", asks developer who requested his Facebook data
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Before Ocado could start selling the technology it had developed to other retailers, it had to tear down and rebuild its own monolithic architecture
Successful attack could result in harm to patients and financial loss, warns NHS governing body
Guccifer 2.0 claimed to be a lone Romanian hacker - until a schoolboy error gave him, her or them away