Complaints to Sadiq Khan’s Met police watchdog on public view in ‘data breach’

Sadiq Khan is the police and crime commissioner for London  (PA)
Sadiq Khan is the police and crime commissioner for London (PA)

People who reported concerns about the Metropolitan Police to Sadiq Khan’s police watchdog had their personal data left on public display for months, City Hall has admitted.

Officials today apologised for a major “data breach” at the Mayor’s Office for Policing and Crime (Mopac) that affected about 400 people.

This resulted in communications sent by members of the public to Mopac via two “contact forms” on its website being left open to public inspection between last November and February.

These are understood to have included complaints about the Met police and potentially instances where people chose to report incidents or allegations direct to Mopac because of a lack of faith in the Met.

An internal investigation by City Hall has so far suggested that there is “no evidence that the information had been accessed or used maliciously”. As such, it is describing the incident as a “data breach”, not a “data leak”.

However, it has reported the matter — which has been blamed on a “manual error” by an unnamed City Hall employee, and was not the result of a cyber-attack — to the Information Commissioner’s Office.

Email addresses and personal details of people who contacted Mopac, but not their financial details, were accessible to others.

Caroline Russell, chair of the London Assembly police and crime committee, said: “This should never have happened.

“The most sensitive data imaginable has been managed with a lack of care - victims must be able to trust our policing institutions to handle their data responsibly. While we have been told independent investigations have found no evidence that data has been misused, we are very concerned that such a huge mistake has been made.

“We have sought urgent reassurances that the support offered to the people affected is properly resourced and sensitive to any past trauma they may have experienced.

“We have also asked for an immediate explanation of what assessments were undertaken since the breach was discovered in February, and why it took until now for the people affected to be informed.

“The police and crime committee will be considering this matter and putting further questions to the GLA and Mopac at the start of our meeting next Wednesday.”

The employee responsible has not been sacked. City Hall said it preferred to follow a culture where staff were not afraid to flag errors and could learn from their mistakes.

As Mayor, Mr Khan is also the police and crime commissioner for London, and responsible for setting the Met’s budget and policing priorities.

He does this through Mopac, which is headed by Sophie Linden, the deputy mayor for policing. It has about 170 staff.

A spokesperson for Mr Khan said: “Clearly, this incident should never have happened, which is why a full and thorough investigation was launched, supported by independent experts.  

“City Hall is offering support to anyone who may have been impacted and is doing everything it can to ensure that this issue, which was caused by a manual error, cannot happen again.

“There is no evidence that any of this information was accessed by anyone with malicious intent or that it has been misused.”

The Mopac website is hosted on the Greater London Authority (GLA) website.

A GLA spokesperson said: “The Information Commissioner’s Office was notified within 72 hours of the issue being identified and continues to be kept updated. Analysis by independent experts, commissioned by the GLA, found no evidence that any of this information was accessed by anyone with malicious intent or that it has been misused. Mopac are contacting around 400 individuals this week as part of compliance with UK General Data Protection Regulation.”

A Mopac spokesman said: “A manual error made it technically possible for visitors to temporarily access the content submitted on the two online forms between November 2022 and February 2023.”