back to article Cop shop rapped for 'completely avoidable' web form blunder

The London Mayor's Office for Policing and Crime is being rapped by regulators for untidy tech practices that made public the personal data of hundreds of people who filed complaints against the Metropolitan Police Service. According to the Information Commissioner’s Office, MOPAC made a "completely avoidable" webform error …

  1. Flak
    Facepalm

    Checking it twice

    Surely this is exactly the kind of situation where, prior to a service going live or being changed, you would want to ensure there are no unintended consequences.

    1. cyberdemon Silver badge
      Devil

      Re: Checking it twice

      For a complaints logging database? Nah, just use the lowest-bid contractor for that system that we've been forced to implement but don't actually want ...

      We used to have a paper-based system called the cylindrical receptacle, but those scrotes in Whitehall said it wasn't sufficient

  2. Mike 137 Silver badge

    Why on Earth?

    "ensure there are no unintended consequences"

    It's much more basic than that. Why was internal access to the data expected to be via the public portal? Surely it's a fundamental that internal and external access are segregated? Or are we once again falling foul of the output of web devs who understand nothing about even basic security? I suspect that the general misunderstanding of "agile" has a lot to do with it, is it's commonly interpreted as "tinker without planning" so nobody actually designs anything -- they just implement on the fly until it "works" and release it.

    1. Handlebars

      Re: Why on Earth?

      Probably an off the shelf forms product deployed by non technical staff.

  3. Bendacious

    Email submission

    I see their "effective mitigation for the security issue" is to remove the online forms and instead ask people to email their complaints to ComplaintReviews@mopac.london.gov.uk. Fortunately emails are entirely secure in transit and storage. Plus, forwarding plain-text emails to the group, rather than making the group log in with 2FA to access encrypted database records with full auditing, is much more convenient.</sarcasm>

    1. David 132 Silver badge

      Re: Email submission

      And I suspect, coming any day now from the Met… a practical demonstration of why you should use BCC not “Reply All”!

  4. Yorick Hunt Silver badge
    Holmes

    Exposing complainants?

    Sounds like it was a design specification. "Want to complain about us? Well eff ewe!"

    1. perkele

      Re: Exposing complainants?

      In the old days you'd complain about police, allegedly, and the secret report would suddenly not be secret through a nod and a wink and a lift of trousers...

      And you might still fall down the stairs sometime in the future.

      1. Anonymous Coward
        Anonymous Coward

        Re: Exposing complainants?

        I once complained about a police car pulling out in front of me when I had right of way and only putting the blues and twos on after I had nearly crashed into it. I made it clear that I was a forgiving guy and wanted no more than someone to remind them not to do that.

        The response was a letter telling me they had decided I wouldn't be prosecuted for the incident.

  5. Doctor Syntax Silver badge

    "However, there is no evidence that the data was ever accessed,"

    Absence of evidence is not evidence of absence. Is their any evidence that it wasn't accessed?

  6. perkele

    "Why the reprimand? MOPAC "acted professionally" throughout the investigation to tell the Met Police complainants about the screw-up. And MOPAC has since taken "remedial steps" including "awareness and training" around "permission forms.""

    Would the Met Police accept that excuse, or even Khan's TFL, if you screw up and do a crime / drive in a wrong street and "act professionally" to deal with their complaint and then let you off? Doubt it.

    No mention of people being sacked as if they are so incompetent how can they be left in post? Or be redirected to pick up dog shit/direct traffic as they're obviously not fit for first year CompSci-type jobs if that.

  7. Ken Moorhouse Silver badge

    Your email has been entered into a prize draw...

    1st prize is a holiday to Rwanda.

    ===

    Who would be a whistleblower if this is the way confidential correspondence is handled?

  8. t245t Silver badge
    Facepalm

    Insecurity in the web form

    ‘users could see "everything that had been submitted via web form’

  9. Michael Mounteney

    "However, there is no evidence that the data was ever accessed,"

    I smashed some car windscreens on my street today because "there was no evidence" that their owners didn't want them smashed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like