At the end of last month it was reported that names and telephone numbers of suspects in terrorism probes carried out by the EU police agency, Europol, had been posted online by accident.
The Hague-based agency, which coordinates police efforts across the EU confirmed that an ex-staff member had taken the data home in contravention of security protocols.
The concerned former staff member, who is an experienced police officer from a national authority, was reported to have uploaded Europol data to a private storage device while still working at the agency, in clear contravention to Europol policy. The police cases related to the breach are said to be a decade old and Europol became aware of the incident in September 2016.
The agent is believed to have inadvertently published information about 54 different police investigations, with the breach spanning over 700 pages of data.
DarkMatter commentary and insights
While Europol claims most of the released pages contain public information and the details that had not been previously disclosed to the public had not affected ongoing investigations, this breakdown in the processes to maintain the integrity of sensitive information is all the more alarming given the profile of the entity involved.
As the EU police agency, it may reasonably be expected that the entity would have had a heightened sense of awareness of its cyber security risk, and would accordingly have in place more stringent and enforceable mechanisms to ensure digital information could not be copied and removed from the agency’s premises without prior knowledge and consent.
The breach poses larger questions about data protection standards of an agency whose investigative powers are only set to expand next May with the introduction of a revamped Europe-wide intelligence-sharing programme.
The additional lack of transparency, given that Europol is reported to have become aware of the incident in September 2016 but only publicly disclosed details in November, is also alarming for an agency that should be well aware that speedy information sharing is a crucial component of cyber threat mitigation.
This incident highlights the requirement to ensure corporate data policies, such as the non-removal of sensitive digital information, should be supported by cyber security measures that enforce compliance of such programmes. Real-time network monitoring, the use of data loss prevention software and hardware, and the encryption of files that are only accessible on premise are among the measures that should be taken to guarantee staff adhere to data security protocols and policies, where human-error lapses are not permissible.