The Neighbourhood Alert system, supported by Action Fraud, was designed to facilitate communication among concerned citizens and provide tailored updates regarding local crime. However, a flaw in its security permissions allowed anyone with an email address to register and access sensitive information, including phone numbers, addresses, and in some instances, photographs of its users.
This design flaw enabled members to delineate neighbourhood watch boundaries on a city-wide scale, granting them access to data belonging to hundreds of thousands of suggested members residing within those boundaries. The system’s users included local fire and rescue departments, police and crime commissioners, and councils.
Re-branded versions of the platform, such as actionfraudalert.co.uk for Action Fraud, were also affected, as they sourced data from the Neighbourhood Alert database. Consequently, individuals who registered through one scheme could potentially access data from another scheme located elsewhere in the country.
Among those affected by the breach were prominent figures such as Members of Parliament, civil servants, and even police officers. Notably, a veteran intelligence officer responsible for combating international organized crime was also impacted.
The security loophole was only rectified after data protection experts alerted VISAV Ltd, the company responsible for managing the scheme, earlier this month. VISAV, which originated as a web design firm in 1998 and operates a Robin Hood-themed gift shop in Nottinghamshire, promptly addressed the issue after being notified.
Initially, both VISAV and the Neighbourhood Watch Network downplayed the severity of the breach, attributing it to a single mistakenly-approved scheme affecting a small number of individuals. However, they acknowledged the extent of the problem after detailed explanations were provided by reporters regarding the systematic exploitation potential.
John Hayward-Cripps, CEO of the Neighbourhood Watch Network, expressed regret over the security loophole, emphasizing the organization’s commitment to addressing the issue and safeguarding user data. Similarly, Mike Douglas, VISAV’s Product Director, extended apologies for any distress caused by the incident and affirmed their cooperation with investigations to prevent future breaches.
Action Fraud assured that its alerts were not affected by the incident, while authorities continue to investigate the matter and assess the necessary measures to prevent similar breaches in the future.
