ICO Probes CEOP Over Unencrypted Data Breach

A breach at the Child Exploitation and Online Protection Centre has triggered an ICO investigation

The Information Commissioner’s Office (ICO) has confirmed that it has begun an investigation over a possible security breach at the Child Exploitation and Online Protection Centre (CEOP) following the discovery of unencrypted personal details.

The discovery, said to have been made by a member of the public is potentially serious as CEOP is the agency responsible for dealing with sex offenders.

Hypothetical Risk

The alleged security breach at CEOP is said to be from hyperlinks to a confidential page on the agency’s website, where people can report incidents of possible abuse.  Users who follow links to the site from Google or Facebook are directed to an unencrypted page, but if users opt to file a report they are then directed to a SSL-secured webpage.

However, the concern is that, because the initial landing page was an unencrypted webpage, a search query or other action carried out on the unsecured CEOP site could hypothetically have been observed or intercepted by other web users, because their actions were effectively sent in the clear.

The incident certainly seems to be a security oversight by CEOP, rather than an actual real life data breach. And of course, it also assumes a high level of technical expertise on behalf of the person supposedly intercepting these ‘in the clear’ transmissions.

However, the sensitive nature of CEOP’s work means that the ICO is now involved, and it confirmed to eWEEK Europe that it was investigating the matter.

“We are making enquiries into the circumstances of this alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken,” said the ICO spokesperson.

No Evidence Of Breach

“The risk was a hypothetical one and there is no evidence to suggest anyone’s details have been jeopardised,” CEOP’s CEO, Peter Davies, said in an emailed statement. “We thank the member of the public who brought this issue to our attention and have rectified the problem so people can continue to report any concerns they have to us, with the reassurance that their report will remain secure.”

Peter Davies succeeded former CEOP chief executive Jim Gamble, who resigned late last year over concerns about government plans to roll CEOP into the National Crime Agency, which he felt would not benefit children.

The CEOP agency gained a lot of publicity last year thanks to its lobbying of the likes of Facebook to place a “panic button” on the social network for threatened children to use, if they thought a paedophile might be pestering them online.

Facebook initially resisted the idea, but it finally reached a compromise with CEOP, stating that both organisations were “aligned on making the Internet safer.”