Police tighten computer security after leaks, viruses

PUBLISHED : Sunday, 07 December, 2008, 12:00am
UPDATED : Sunday, 07 December, 2008, 12:00am

After a string of embarrassing data leaks earlier this year, the Hong Kong Police Force says it is confident it is winning the battle to protect its computer system and people's privacy.

At the same time, the Sunday Morning Post can reveal that practices similar to those leading to the data leaks also saw police computers come under attack by viruses.

The Legislative Council's panel on information technology is due tomorrow to discuss a review of government IT security, which identified a string of data leaks from departments including the police, customs and immigration since May.

In an exclusive interview, director of police management services Mike Dowie said the force had successfully fought off several virus attacks earlier this year.

Police computers were probably inadvertently infected by officers taking work to and from the office on USB flash drives.

'We did have a number of cases where officers were bringing in privately owned thumb-drives [USB drives] and using them in the workplace,' Mr Dowie said. 'What, unfortunately, some of them failed to realise is ... that it is very easy for those sorts of drives to become infected.

'Fortunately our firewall prevented these viruses from getting into the overall system. We were able to isolate the viruses and clean up the computers involved.'

Similar practices led to data leaks earlier this year that saw the personal details of a number of people appear on the internet through the popular file-sharing program Foxy.

'We examined the issue and found that the problem was that some officers, with the best of intensions, had taken work home and did not understand that Foxy would grab this information and share it,' Mr Dowie said. 'Some of them did not even know that Foxy had been installed on their home computers.

'Some of the documents that got out had personal data on them, and other information that we would have preferred was not in the public domain.'

Mr Dowie said police had taken the opportunity to review procedures and had examined whether they had enough computers. No officers below inspector level have their own dedicated computer. Lower-ranked officers share terminals, and there are strict rules that they are not to leave any information on the computers.

'We had to make sure those shared computers were not holding sensitive information, so we had a sanitisation exercise,' Mr Dowie said. 'And we did find some had info on them that they shouldn't have.

'So since then we've had a series of similar sanitisation exercises to make sure the guys and girls are not leaving material on the hardware that they should not be.' The force also bought some encrypted USB flash drives that would only work on force computers.

'The policy on private thumb-drives now is that it is just an absolute no-no. At the same time, we have used technology to cut out private drives. We registered all the encrypted drives to the system, so private ones will not be accepted any more.'

The force was also buying highly encrypted hard drives capable of receiving and transmitting sensitive information.

But purchasing protected drives was not the end solution. Educating the 35,000 or so people within the police force and its satellite organisations was probably more important.

'We must learn from what happened in May,' he said. 'It is about constant education for officers, keeping the importance of IT and data security high in their minds.'