Herfordshire Police reports externally hosted database was hacked with data published

News by Dan Raywood

The website of Hertfordshire Police has been hacked, with login details and passwords for dozens of officers published.

The website of Hertfordshire Police has been hacked,, with login details and passwords for dozens of officers published.

According to BBC News, Hertfordshire Police confirmed that information stored on an externally hosted database had been published on the internet and that the data, including phone numbers and IP addresses, relates to a number of officers in Safer Neighbourhood Teams.

A statement said that it was investigating the incident and as a precaution, the pages had been temporarily disabled whilst the circumstances as to how this information was obtained was investigated.

“There is absolutely no suggestion that any personal data relating to officers or members of the public has been, or could have been compromised. Nevertheless matters of IT security are extremely important to the Constabulary and an investigation is already under way,” it said.

The hacker added an ‘OpFreeAssange' banner to the details posted online, however, the hacker wrote ‘I am not a member of Anonymous'.

Catalin Cosoi, chief security researcher at Bitdefender, said: “The unknown attacker extracted from the second breached website what appear to be police officers' email addresses, passwords to those email accounts and a list of PINs probably employed as additional safety tools.

“Several user logs have also been made public, exposing a list of employee names and corresponding IPs that could be used in cyber crime operations requiring identification of a specific machine, containing a particular type of data.”

Paul Vlissidis, technical director at NCC Group, said: “Externally hosted databases are like any third party supplier – they can be a nasty potential security flaw because their practices and procedures are outside the control of the client.

“Miscreants are certainly very wise to this. We need to move towards a culture where it's common policy to audit external suppliers and make sure their security is up to scratch.”

Ash Patel, country manager for UK and Ireland at Stonesoft, said: “The most worrying aspect of this attack is that the hackers only made themselves known once they had have achieved what they set out to.

“This raises an important question as to what other damage may have been caused and whether any other data was stolen that the force is currently not aware of. Furthermore, the organisation should think about potential Trojans that may have been left as sleepers in the database/network.

“Public sector organisations need to understand that, by hosting sites with third parties or outsourcing such important services to system integrators, does not take responsibility away from those who are employed to ensure the security of ‘our' data. It is time that it was made clear that the responsibility lies with the government and its employees in the same way that the nation's security lies with the armed forces.

“It is also important to note that Hertfordshire Police's website was externally hosted and this, as always, highlights that when employing this parties to host sites, the first and most important question that should be asked is with regards to security, after which can come questions around cost and availability. This is even more so the case when the organisations are of public interest.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews