Gwent Police reportedly failed to inform 450 people that their information could have been compromised.
A police force in South Wales is being investigated after it failed to report a hack that could have exposed confidential tip-offs by members of the public.
Hundreds of online reports made to Gwent Police could have been accessed by an unknown party due to a bug discovered last year, reports Sky News.
The nature of the vulnerability hasn’t yet been reported, but the online tool was removed in February after the flaw was discovered.
This means that the 450 reports submitted via the online form by that point could have been seen by hackers.
The force hasn’t confirmed whether the hundreds of people affected had their data compromised.
But it did fail to report the possible breach to both the Information Commissioner’s Office (ICO) and the Police and Crime Commissioner’s (PCC) office.
Gwent Police is now being investigated for a possible breach of the Data Protection Act.
The force claims it is highly unlikely any personal data was viewed or stolen, but that it couldn’t be certain this was the case.
A spokesperson said: “However, in mitigation, for someone to access this data, they would have had to have been actively looking on the specific area of the site, had a reasonable level of technical skill and known a complex URL (which was long in length and a mixture of random characters).
“There has been no other form of communication (complaints or any malicious activity on our security system). It was concluded that there was a high probability no data had been accessed and no risk to any individuals.”
According to reports, an internal investigation in February didn’t reveal the scale of the hack because the hosting company was only able to give records for the previous 24 hours.
The ICO and the PCC for Gwent, Jeff Cuthbert, confirmed they will be investigating the incident.
Cuthbert told Sky News: “Moving forward, I will seek reassurance that the protection of personal data of the public we serve is of paramount importance and that any lessons learnt from previous breaches are implemented with immediate effect.”