Skip to Main Content

Police database flagged 9,000 cybercrime reports as 'security risk'

Reports were quarantined by software designed to protect fraud bureau’s computer system, watchdog told.


Thousands of reports of cybercrime were quarantined on a police database instead of being investigated because software designed to protect the computer system labelled them a security risk.

The backlog at one point stretched to about 9,000 reports of cybercrime and fraud, some of them dating back to October last year. The reports had been made to Action Fraud and handed to the National Fraud Intelligence Bureau (NFIB), run by the City of London police.

They were added to a database called Know Fraud where they are supposed to be processed, assessed and distributed among investigators.

The problem was revealed on Thursday in the findings of an inspection by a police watchdog, Her Majesty’s Inspectorate of Constabulary and Fire and Rescue Services (HMICFRS), on how forces were responding to cyber-dependent crime.

By April about 9,000 reports were affected and by July the number had fallen to about 6,500, HMICFRS was told. The problem occurred as part of a system update that resulted in the “removal or disabling of some rules causing a high number of reports to be rejected”, the force said.

A small number of lower priority cases in the backlog, such as those with incorrect or missing details, may date back to October 2018. Now 500 cases were waiting to be released from quarantine, a force spokeswoman added.

The software screens reports to identify security risks and places any in quarantine that could have a “potentially significant threat to the security of the database” in order for them to be manually checked before being released.

The types of risks it searches for are those used by hackers to bypass security measures and attack databases, systems and websites such as viruses and other malware.

This is to protect against reports submitted by members of the public that have been sent from unknowingly infected computers, as well as to root out malicious attempts to infiltrate the database.

But the very nature of the crime reports could have caused them to be quarantined because they may have unintentionally contained sequences of words and symbols that act as markers for the software to warn of a possible security risk.

The force was told it must “with immediate effect” explain to the Home Office how it proposed to tackle the problem and stop it from happening again.

A City of London police spokeswoman said it was working with its supplier IBM to “review the security protocols” that caused the problem, adding: “Reports which are a security risk will continue to be quarantined but are actively monitored, for example to ensure that reports from vulnerable victims are prioritised and acted on.”

HMICFRS looked at how all police forces, as well as some national bodies, dealt with cyber-dependent crimes. These are offences that could only be carried out with the use of a computer or similar devices – such as sending out viruses, infecting systems with spyware, targeting social media and emails or compromising companies with ransomware.

Overall, inspectors found the police approach to such crimes to be generally good but inconsistent. They raised concerns about the number of cases that were closed with no action taken and no suspect identified.

HMICFRS said the current police structure used to decide which teams investigated the crimes needed to change.