Exclusive: Major data breach at Greater Manchester Police left victims' information online
The force confirmed it is investigating the incident
An investigation has been launched into claims that Greater Manchester Police accidentally leaked “a dataset of personal information” - including the names and details of sexual assault victims.
The force stands accused of an extraordinary data breach in which it allowed highly sensitive police data to be accessed online, including the names and details of the victims of sex crimes, who have a legal right to remain anonymous.
A police spokesperson confirmed to The Mill that “a dataset of personal information” was involved, and said: “An internal investigation was immediately initiated and GMP has proactively referred the matter to the Information Commissioners Office (ICO).”
The story comes from an anonymous whistleblower, whose information was passed to The Mill by an intermediary. We have not spoken to the source, whose encrypted email address has now been deactivated, but Greater Manchester Police have not denied any of the source’s key claims.
GMP’s Chief Constable Ian Hopkins
The existence of an official data investigation has also been confirmed by the ICO, which regulates data protection in the UK. A spokesperson told The Mill: “Greater Manchester Police have reported an incident to us and we will be making enquiries.”
The source says that just under three weeks ago, an officer discovered that sensitive GMP data was accessible without a password on the website of an overseas IT company contracted by the force. The Mill is choosing not to name the contractors involved in this story until we have established more details and given them sufficient chance to comment.
It meant anyone could access information about crimes and incidents in Greater Manchester, including the names, addresses and personal details of vulnerable victims, witnesses and informants. The data had allegedly been uploaded to a “test system” by a different contractor. A test system is part of the process of developing the software GMP uses to record incidents and store sensitive information.
According to the whistleblower’s account, which has not been disputed by GMP, the Integrated Operational Policing System (or iOPS) used by the force had been connected to the internet and had been online for more than two months.
The iOPS carries all GMP’s data including victim and informant details, calls from the public, intelligence, criminal investigation logs, custody records and files for court cases. It went live in July 2019, replacing older computer systems at the cost of £60 million.
The revelation that the security of iOPS was compromised is likely to cause deep alarm among residents who have had recent dealings with the police, including those who have experienced domestic abuse or sexual assault. The force described the set of personal information as “limited” and said there are “currently no indicators” that the data was viewed or extracted from the website.
The breach will also raise serious questions about why a test system was loaded with real data - including sensitive personal information. The source says that GMP is investigating whether any of the data has sold or offered for sale on the dark web.
The serious breach comes after months of serious failures with the iOPS system. In March a scathing report from Her Majesty's Inspectorate of Constabulary identified delays in answering 999 calls and "serious" backlogs in dealing with cases of abuse. And in July it was reported that officers were having to resort to paper records.
Today’s whistleblower says the system apparently crashed again on Tuesday this week (September 29th) leading some officers and staff to resort to paper processes again.
Greater Manchester Police sent The Mill the following statement a few hours ago:
GMP is aware of a possible data breach involving a limited dataset of personal information, which was used for testing purposes. An internal investigation was immediately initiated and GMP has proactively referred the matter to the Information Commissioners Office (ICO).
The information was immediately taken down to ensure no further access could be gained. The possible data that could have been accessed did not include any pictures or video.
The investigation is currently ongoing and further reports will be issued to the ICO as appropriate. As the investigation is still ongoing we cannot provide any further information at this stage.
There are currently no indicators to suggest that this data has been viewed by anyone outside of the authorised teams or that the data has been extracted.
The Mill will continue to report on this incident. If you have information that might be useful, please email email@example.com or firstname.lastname@example.org. To do so securely, create a Protonmail account.
You can support The Mill’s journalism and get access to all our stories and podcasts by joining as a paying member using the button below.