Earlier this year, the Information Commissioner’s Office (ICO) carried out a consensual audit of the Metropolitan Police’s compliance with the Data Protection Act. Among other things that need some improvement in their data security arrangements, they found out that they were still using Windows XP, an outdated operating system.
The problem with this is that Windows XP is no longer supported, which means that the operating system is not receiving critical security patches. The operating system poses a residual risk to personal data.
Apart from that, the regulator also discovered that their backup arrangements for file systems were not tested, so in the event of a disaster, it is not a given that systems could be restored. Furthermore, the database they use for the purposes of storing business continuity plans is unsupported and not backed up.
ICO also noted some weaknesses in their procedures for removing access to buildings and applications where this is no longer needed, which creates the unnecessary risk of unauthorised access to buildings.
The Metropolitan Police responded that they are currently in the process of renewing their IT infrastructure, however, the situation could get complicated as certain specialised applications might not be supported on newer platforms.
Finally, the force pointed out that they have already upgraded more than 17,000 devices to Windows 8.1, which leaves around 10,000 remaining devices that are still using Windows XP.
Although NHS has also been criticised for relying on Windows XP, industry experts have pointed out that 97% of WannaCry infections happened on Windows 7. The malware merely caused Windows XP to crash.