A child protection department under the UK’s peak serious crime fighting agency forgot to encrypt submissions made through its website.
The failure to encrypt complaints lodged over the Child Exploitation and Online Protection Centre’s website meant that sensitive details could have been exposed during transmission, according to the UK’s Information Commission’s Office (ICO).
The site had been insecure for several months, according to the ICO's review.
A person submitting a tip to the CEOP noticed the online form used by the department did not encrypt the information in transit and subsequently filed a complaint with the ICO in April.
The heads of CEOP and the agency it sits under, the UK’s Serious Organised Crime Agency (SOCA), have both signed undertakings to ensure the website was tested for security weaknesses.
“Organisations must make sure that any personal data transmitted electronically is adequately protected. While there is no evidence to suggest that attempts have been made to access any of the information, it is highly likely that it would have been sensitive in nature and should not have been compromised by insufficient IT security measures,” said the ICO’s acting head of enforcement, Sally Anne Poole.