nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes

30,000 London gun owners hit by Met Police 'data breach'

Who gave marketing agency access to super-sensitive address database?

By Gareth Corfield, 19 Apr 2017

London gun owners are asking questions of the Metropolitan Police after the force seemingly handed the addresses of 30,000 firearm and shotgun owners to a direct mail marketing agency for a commercial firm's advertising campaign.

The first any of the affected people knew about the blunder was when the leaflet (pictured below) landed on their doormats in Tuesday's post.

Titled "Protect your firearms and shotguns with Smartwater", the leaflet – which features Met Police logos – advises firearm and shotgun certificate holders to "buy a firearms protection pack at a reduced price" of £8.95.

Smartwater is basically invisible ink. You mark your property using it and if you are burgled, police can use a UV light reader to see who rightfully owns stolen items. The company behind it was formed by an ex-police detective and his industrial chemist brother, and the firm has since forged very close links with a number of UK police forces. Its website boasts of the "traceable liquid's" crime-reducing properties, something that police actively endorse.

The promotional firearms security packs being peddled by Smartwater and the Met appear to be little more than a small can of the "traceable liquid" and the "right to display SmartWater's THIEVES BEWARE® deterrent signage for 5 YEARS", as the product page puts it.

The security implications of the Met distributing home addresses of the capital's 30,000 gun owners (about 5,000 rifle owners and 25,000 shotgun owners) are severe. A large part of firearms security is through obscurity; you take every precaution against strangers learning what your home address is if you store firearms there because that makes you a target for criminals.

It is not clear why firearms and shotguns stamped with serial numbers recorded against the owner's name and address on a police-controlled database need extra marking. Forensic scientists are easily capable of reading a filed-off or altered serial number, two common tricks criminals use in the hope of making their illegally acquired guns untraceable.

Neither is it clear why the Met is helping a commercial advertising campaign. While Smartwater kits are routinely offered to burglary victims by the force, this appears to be the first time it has supplied personal details from its databases to marketers.

The front and reverse of that Met Police Smartwater firearms leaflet

The front and reverse of the Metropolitan Police Smartwater firearms leaflet

Questions were immediately raised as to whether the Met had broken the law. The data protection statement that both police and certificate holders agree to is found in Firearms Form 201 (PDF), the application form for a firearm certificate. It says:

I understand that all information submitted will be handled in accordance with the Data Protection Act 1998 and the Freedom of Information Act 2000 and connected legislation. I understand and give consent for information contained within my application form or obtained in the course of deciding the application to be shared with: my GP, other government departments, regulatory bodies or enforcement agencies in the course of either deciding the application or in pursuance of maintaining public safety or the peace.

Note: Any information shared will be shared in accordance with data sharing protocols. We do not share your personal or company details with other applicants or members of the public and treat information in connection with the application in confidence, but individuals should be aware that we may be required to disclose some information in accordance with the legislation referred to above.

A spokesperson for the Information Commissioner's Office told The Register: "Businesses and organisations are required under the Data Protection Act to keep people's personal data safe and secure. If people have concerns about the way an organisation is handling their personal data, they can report them to us."

The British Association for Shooting and Conservation told us: "BASC has spoken with the Metropolitan Police and we understand they are investigating this matter. We are not in a position to comment further until the result of that investigation is known."

A Met press officer did not immediately respond to our questions, saying that the key person responsible was on leave.

The envelope containing the leaflet was stamped with a return address for "YDM", Bramley Business Centre, Leeds. A direct marketing company called Yes Direct Mail, based at the same address, acknowledged our call seeking comment and said its managing director was out of the office. ®

The Register - Independent news, views and opinion for the tech sector. Part of Situation Publishing