An investigator at Europe's FBI Europol took home a USB stick packed with terror probe documents and accidentally spilled the files on the internet.
Dutch telly documentary series Zembla reported this month that about 700 pages of analysis on terrorist groups and related sensitive information were exposed online as a result of the officer's security blunder.
The secret intelligence documents ended up on a personal hard drive that was shared to the web with no password protection, according to security firm WinMagic.
The now-ex-staff member took the dossier home in order to work on it outside office hours, a Europol spokesman told The Register this week. He claimed that “most of the data is almost 10 years old,” adding:
A recent case included in a Dutch television programme concerned the breach of an ex-Europol staff member with Europol’s security regime. The concerned former staff member, who is an experienced police officer from a national authority, uploaded Europol data to a private storage device while still working at Europol, in clear contravention to Europol policy.
A security investigation regarding this case is ongoing, in coordination with the respective authorities at national level to which the staff member returned. Current information suggests that the security breach was not ill-intended.
Although this case relates to Europol sensitive information dating from around 10 years ago, Europol immediately informed the concerned Member States. As of today, there is no indication that an investigation has been jeopardised due to the compromise of this historical data. Europol will continue to assess the impact of the data in question, together with concerned Member States.
Human error is the weakest link when it comes to the intersection of staff, data, and technology. Although this risk can never fully be ruled out, Europol’s systems and the security training offered to Europol staff are constantly reviewed.
Mark Hickman, WinMagic's chief operating office, commented: “If organisations like Europol which are so tight on security can make mistakes, it brings into stark reality how much inherent risk there is for businesses if the right approach is not taken to educating employees, as well as having the right technology, to protect data at rest.” ®