TfL and Met hit with personal data leaks
Transport for London and the Metropolitan Police were today urged to do more to keep personal data “watertight” after it emerged they have experienced more than 200 data breaches over the last five years.
The bodies, part of the Greater London Authority, were warned not to “abuse the trust” of the public who provided personal — and in some cases highly sensitive — information.
Len Duvall, chairman of the GLA’s oversight committee, said that even though the majority of breaches were due to human error it was vital for TfL, the Met and other organisations to “be on top” of the issue.
The Information Commissioner, Elizabeth Denham, told the committee that too much focus on big cyber-attacks, such as the NHS ransomware virus, risked neglecting the source of the majority of breaches.
Ms Denham said: “The biggest risk is people, but that is also the biggest solution. Part of the problem is everybody is focusing on big cyber hacks and criminal actions... but I can tell you that 95 per cent of the data breaches that are reported to us are low-tech, and are not criminal hacks.
“They are completely preventable through training, up-to-date software, clear roles and responsibilities and evergreen IT security practices.”
In figures seen by the Standard, the majority, 162, of the 285 data breaches in the GLA group happened at the Met while a further 96 took place at TfL.
The London Legacy Development Corporation had 15 breaches and City Hall nine.
The London Fire and Emergency Planning Authority and the Mayor’s Office for Policing and Crime had two and one respectively.
Just 10 of the breaches were serious enough to report to the Information Commissioner’s Office.
TfL collects personal data from passengers moving around the capital every time they use a registered Oyster or contactless payment card.
It also records vehicles travelling across London’s low-emission and C-charge zones through number plate recognition cameras. The Met can also see this data.
In addition, Scotland Yard has access to sensitive information including the health records of vulnerable individuals and victims of crime.
It has also used facial recognition technology at events such as the Notting Hill carnival.
Mr Duvall said: “When a large organisation is collecting vast amounts of data from customers, security must be watertight.”
Source: Evening Standard 25/09/2017