[BreachExchange] ICO Fines London Council for Gangs Matrix Data Leak Exposing 203 People

Wed Apr 10 01:51:05 EDT 2019

https://www.bleepingcomputer.com/news/security/ico-fines-london-council-for-gangs-matrix-data-leak-exposing-203-people/

The London Borough of Newham received a £145,000 monetary penalty from
the Information Commissioner’s Office (ICO) after leaking the personal
information of more than 200 individuals allegedly associated with
gangs.

As discovered by an ICO investigation, the personal data of more than
203 alleged gang members was disclosed by a Newham Council employee
who emailed the info part of the Gangs Matrix police intelligence
database to 44 recipients, in both redacted and unredacted form.

The ICO found that the council employee shared dates of birth and home
addresses with the third parties, as well as info on the supposed gang
members' association, firearm, or knife carrying status.

Fine was issued under the Data Protection Act 1998

All the personal info leaked in the breach was sent by the
Metropolitan Police Service (MPS) during a coordinated operation
designed to both prevent and tackle gang violence.

According to the monetary penalty notice, "The Gangs Matrix is a
database if intelligence about gang members. One of the purposes of
the Gangs Matrix is that relevant information and intelligence about
persons on the Matrix is shared with relevant bodies in order to
prevent and detect crime, deter gang activity and enable appropriate
support to those who need it."

Following the data leak, multiple gang-related violent incidents were
reported in the Borough of Newham, with some of the victims having
been listed on the shared unredacted list.

Because the data breach occurred during January 26, 2017, the fine was
issued under the Data Protection Act 1998, and not under the General
Data Protection Regulation which replaced it on May 25, 2018.

"We recognise there is a national concern about violent gang crime and
the importance of tackling it. We also recognise the challenges of
public authorities in doing this. Appropriate sharing of information
has its part to play in this challenge but it must be done lawfully
and safely," said Deputy Commissioner James Dipple-Johnstone.

Council failed to notify the ICO of the breach

To make things even worse, while the Newham Council conducted an
investigation it failed to report the data breach to the ICO, further
increasing the danger the individuals in the leaked Gangs Matrix data
were exposed to. Furthermore, the council also delayed the
investigation until December 2017.

The Newham Council data breach was eventually discovered by the ICO
during a wider inquiry on the use of the Gangs Matrix database by the
MPS.

Following this investigation, which found that the MPS also failed to
comply with data protection rules, the ICO issued an enforcement
notice which required the MPS to provide "providing better
arrangements for sharing the Matrix with partner agencies."

"Our investigation concluded that it was unnecessary, unfair and
excessive for Newham Council to have shared the unredacted database
with a large number of people and organisations, when a redacted
version was readily available. The risks associated with such a
transfer of sensitive information should have been obvious," also
argued Dipple-Johnstone.