Europol has launched an internal investigation after an officer accidentally exposed highly sensitive material on terror suspects online after contravening internal security policies.
Over 700 pages of confidential documents – including info on the Madrid train bombings, and terror group the Hofstad Network – were found on an officer’s internet-connected hard drive, without any password protection.
As reported, the Dutch TV program Zembla told the BBC they found the drive through a simple Shodan search, and were able to remotely access the data with ease.
The member of staff in question has since left to take up a position with the Dutch police, but copying the details to a personal drive was a “clear contravention” of Europol rules, the report claimed.
A Europol statement had the following:
"Although this case relates to Europol sensitive information dating from around 10 years ago, Europol immediately informed the concerned member states. As of today, there is no indication that an investigation has been jeopardized, due to the compromise of this historical data. Europol will continue to assess the impact of the data in question, together with concerned member states."
Jon Fielding, EMEA managing director at hard drive company Apricorn, argued that corporate data security policies must be enforced to avoid slip-ups like this.
“Most enterprises will deploy solutions that whitelist the devices they will allow to be plugged into their IT estate via the USB port, to ensure only those approved can be used,” he added. "This would block the insertion of a personal device for example.”
Encryption is another must to mitigate the risk of a data breach, Fielding claimed.
“Once a USB port is locked only to accept approved and encrypted devices, an organization can be confident that any data crossing the USB port is encrypted and protected on a corporate approved device, all of which would have saved Europol the embarrassment and potential repercussions of the leak they have suffered,” he concluded.