The Information Commisionner’s Office (ICO) is conducting an investigation into how a reporting form on a child protection website was found to be insecure.
Last week, a member of the public alerted the Child Exploitation and Online Protection Centre (CEOP) to the fact that the webpage used to report alleged offenders was unencrypted. Users accessing the form through a third-party website, such as Google or Facebook, reached an http address instead of the secure https URL.
CEOP, which was set up in 2006 to protect children from paedophiles online, said the issue was fixed the same day it was reported.
A spokesperson for the agency said that as far as CEOP is aware, no personal details have been compromised.
“There was an error and that has been rectified. The risk was extremely low.
“CEOP receives a number of reports through a number of different routes so the reports in question are a small proportion. But we take the security of our systems and reports seriously,” she said.
The spokesperson added that a potential hacker would have to be “extremely technically advanced” in order to affect CEOP’s systems.
A spokesperson for the ICO said: “We are making enquiries into the circumstances of this alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”
Garry Sidaway, director of security strategy at IT security solutions provider Integralis, said: "This just goes to show that even in this day and age, when encryption and data protection should be a default design requirement, configuration mistakes are still being made. Security should be designed in and not bolted on.
"The architecture around protecting personal data and information is well proven. Clearly here, whilst no information was lost, the necessary steps weren't taken to protect the information."