The names and details of victims of crime in Greater Manchester – including those of sexual abuse – have allegedly been accidentally put online.
The data breach, which the Manchester Evening News has been told is ‘very serious’ – in both size and content – is under investigation by both GMP themselves and the Information Commissioner’s Office (ICO).
The region’s crime boss has ‘asked for an explanation as to why [she] and the mayor were not informed of this incident at the earliest opportunity’.
The sensitive information, which includes names and addresses of victims, witnesses and people reporting crime, was uploaded as part of a test.
This morning, it was reported that there had been a massive data breach related to iOPS at GMP and that ‘anyone’ had been able to access records that included sex crime victims, witnesses and informants.
The force told the MEN no informant details were part of the data breach, but admitted a snapshot of historic details, including names and crimes, were accessible by an external contractor. It is understood the cases run into the thousands.
And GMP say that so far, there is nothing to indicate the information has been externally accessed.
Victims of sexual crimes have the right to anonymity by law.
The information was a snapshot of historic incidents used by a contractor commissioned by the force to develop software.
It comprised displays, graphs and statistics but, if the right tabs were clicked, anyone could have progressed to the names of victims – and the area where incidents occurred.
It does not include photographs or videos.
The breach did not mean anyone could access the force’s live computer system and access ongoing incidents.
Assistant Chief Constable Chris Sykes said: “We are aware of a possible data breach involving a limited dataset of personal information, which was used for testing purposes by our supplier.
“An internal investigation was immediately initiated and GMP proactively referred the matter to the Information Commissioners Office (ICO).
“In line with the ICO requirements GMP recorded the breach as soon as we became aware and gave a full description of the type of data involved.
“As well as informing the ICO our other priority was to contact our supplier to ensure the information was immediately taken down to make sure no further breaches were possible.
“Although any breach of data is a risk, I want to reassure the communities of Greater Manchester that the type of data available was limited personal data and did not include any detailed information on specific incidents or crimes. It also did not include any pictures, videos or addresses.
“This was in no way a breach of our live, operational system and was a snapshot of data that was being used on a test system.
“At this time there are currently no indicators to suggest that this data has been viewed by anyone outside of the authorised teams or that the data has been extracted.
“The investigation is currently ongoing with both the ICO and GMP and further reports will be issued to the ICO as appropriate.
“As the investigation is still ongoing we cannot provide any further information at this stage.”
Bev Hughes, deputy mayor of Greater Greater Manchester for policing, crime and criminal justice, said: “The public need to be able to trust public bodies with their data and this kind of error should never happen.
“It is incredibly important that victims of crime can be completely reassured that significant amounts of their personal data have not been published, and I have requested an urgent update from Greater Manchester Police on this specific point.
“Further, I have asked for an explanation as to why I and the mayor of Greater Manchester were not informed of this incident at the earliest opportunity.
“We await the findings of the independent Information Commissioner’s Office’s investigation. In the meantime, I am seeking swift reassurance from GMP that processes are being put in place to ensure this cannot ever reoccur.”
An ICO spokesperson said: “Greater Manchester Police have reported an incident to us and we will be making enquiries.”
GMP’s new £60m computer system, Integrated Operational Policing System (iOPS), has been plagued with problems.
But GMP say the data breach is not directly linked to iOPS.
In March this year a damning inspectorate report revealed it exposed vulnerable people to the potential risk of harm, and concluded there were ‘dramatic’ drops in safeguarding referrals for domestic abuse, child protection and for victim support.
Senior officers did not know what was in a huge backlog of cases that had built up between July and November last year following the introduction of iOPS.
Inspectors found nearly 700 domestic abuse incidents had been sitting in the queue, not being dealt with, concluding that senior command did not know what risks or threats were waiting to be addressed.
In one case, a domestic abuse incident involving a known sex offender was assessed as being appropriate for resolving over the phone rather than a visit in person – because staff could not find the necessary information.
Referrals for high-risk domestic abuse victims initially halved following the introduction of the network.
Staff also told Her Majesty’s Inspectorate of Constabulary and Fire and Rescue Services they had felt ‘blamed’ for problems with the new system, introduced July 2019, and that they felt they ‘weren’t being listened to’
The M.E.N. has repeatedly reported the concerns of frontline officers around iOPS, which went live in July 2019 to replace the force’s old, creaking IT systems – with particular fears raised over risk to the public and safeguarding of vulnerable people.
Senior command have repeatedly insisted the issues it has faced were expected and that nobody was being placed at risk.