Editorial

Europol’s massive data security breach down to ‘human error’

Files covering issues as sensitive as the Madrid bombings were carelessly left open to the Internet, body admits

Posted 1 December 2016 by Gary Flood


'Data Protection' on Flickr by Godrej LeeEuropol, the European Union’s law enforcement agency, has admitted over 700 pages of confidential police files on 54 European terrorist cases were left unencrypted and available for view online – probably down to human error.

Confidential files were apparently taken home by a staff member and put on a personal Iomega storage device that was later connected to the Internet without a password – potentially allowing anyone to download the files.

The files, believed to span 2006-2008, are understood to contain hundreds of names and telephone numbers of people associated with terrorism, along with Europol analyses of terrorist groups.

They are reported to have discussed the Madrid bombings, foiled attacks on planes with liquid explosives, as well as terrorist investigations that have never been made public.

The leak was made public by Dutch documentary programme ‘Zembla,’ and broken in the English speaking world by well known security and privacy commentator Glyn Moody in a piece this week on science and culture site Ars Technica.

The latter quotes a Europol statement to it on the breach: “The concerned former staff member, an experienced police officer from a national authority, uploaded Europol data to a private storage device while still working at Europol, in clear contravention to Europol policy.

“A security investigation regarding this case is on-going, in coordination with the respective authorities at national level to which the staff member returned. Current information suggests that the security breach was not ill-intended.”

“Europol operates state-of-the-art databases and secure communication capabilities for processing and analysing operational and classified information,” Europol told the site, adding: “Human error is the weakest link when it comes to the intersection of staff, data, and technology.”