"Security measures have been taken by the MPS as a result of this report," the statement said
Always after the data breach. The only viable security is proactive security -- making your infrastructure the hardest possible nut to crack commensurate with the value/sensitivity of the information to be protected -- before it's been breached.
The big problems that prevent this are  the up front cost, which usually seems unnecessary because "nothing's happened yet",  the utter uselessness of current common practice in risk assessment, which typically causes assessment results to be meaningless,  a fundamental misapprehension that 'policies' automatically drive behaviours,  an almost complete lack of adequate training for staff at all levels, right up to the executive, who frequently get exempted from the (typically useless) so-called 'training' provided.
Until these deficiencies are fixed, there'll be no such thing as genuine infosec, so the adversary will usually win.