Connect with us

Hi, what are you looking for?



UK’s Metropolitan Police Still Using 10,000 Windows XP Computers

Legacy Windows XP systems used by public authorities in the UK remains a concern. The WannaCry outbreak last month followed by the current ‘NotPetya‘ outbreak — both using a vulnerability patched in newer versions of Windows, but initially unpatched in XP — highlights the problem.

Legacy Windows XP systems used by public authorities in the UK remains a concern. The WannaCry outbreak last month followed by the current ‘NotPetya‘ outbreak — both using a vulnerability patched in newer versions of Windows, but initially unpatched in XP — highlights the problem.

Information obtained by Steve O’Connell, a member of the London Assembly and a Conservative Party spokesperson for policing and crime, shows that the Metropolitan Police Service (MPS, or the Met) was still using 18,293 XP machines on their network at the time of providing the information. Since XP is no longer supported by Microsoft, it is left vulnerable to any new exploits such as EternalBlue and DoublePulsar — and it appears that only the tendency for WannaCry to crash XP rather than infect it prevented the worldwide outbreak from being far worse than it was.

The Met’s position is more precarious than implied by O’Connell’s figures. Last month, the UK’s data protection regulator, the ICO, published findings (PDF) from a consensual audit of the Met. While finding some areas of ‘good practice’, it also noted other areas in need of improvement.

In particular, one area for improvement includes the continued use of XP on some desktops and laptops leading to “a residual risk to personal data.” But in relation to WannaCry and NotPetya, this risk is magnified by weaknesses in both the Met’s backup and business continuity procedures. “Backup arrangements for file systems are not tested to ensure that they are recoverable in the event of a disaster.”

Furthermore, “The database used to store BC information is unsupported and not backed up.”

The ICO’s conclusion was that “The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance [with the Data Protection Act].”

The combination of a vulnerable system and untested recovery capabilities is particularly susceptible to ransomware — and even more so where the ransomware attacks are more intent on mischief than collecting ransoms, as seems to be the case with both WannaCry and NotPetya. The threat to, or potential loss of, personal data stored by the Metropolitan Police is particularly concerning.

Advertisement. Scroll to continue reading.

“It is vital the Met is given the resources to step up its upgrade timeline before we see another cyber-attack with nationwide security implications,” warns O’Connell. But, of course, things are never so simple. SecurityWeek reached out to the Met to confirm O’Connell’s figures, and received the following statement:

“The MPS is undergoing a complete refresh of its information technology processes, infrastructure, and equipment – including its desktop computers. 

“However, the upgrade programme is not as simple as it would be for many other organizations due to the amount of specialist legacy software upon which parts of the MPS still rely.

“Replacements or remediation for this software that are compatible with a more modern operating system have to be ready before the roll-out is completed to ensure continued operational effectiveness.

“We have completed the upgrade of just over 17,000 devices to Windows 8.1, and this reduces the number of desktops running Previous XP to around 10,000.”

The spokesperson did not know, and was unable to find out in time for this article, whether the Met has patched all its Windows systems (not just the XP ones) against MS17-010 vulnerabilities (also known as the EternalBlue vulnerabilities) after the WannaCry outbreak. However, he did add, “The entire Met ICT estate has a number of layers of industry-leading security, which we have been monitoring closely over the past 24 hours. The MPS estate currently remains un-impacted by the cyber-attack and our security checks continue.”

The complicating factor of legacy software on legacy systems is a problem, and not just for the Met. “I’m sympathetic to the fact that financially stretched government agencies and public services may not feel that an OS upgrade is the best use of scarce resources,” independent security expert David Harley told SecurityWeek

“Sometimes,” he continued, “there are technical reasons for not upgrading a system required to run specific software or peripherals. There may be systems for which an OS upgrade is expected to damage functionality for other reasons, such as underpowered hardware. There are systems that may not require updating because they’re fully air-gapped, I suppose. And the risk from running systems that can no longer be updated is sometimes overhyped: there’s plenty of malware that doesn’t rely on unpatched Windows versions to allow it to execute.”

But none of this means that organizations can relax their efforts to upgrade XP systems. “Nonetheless,” concluded Harley, “the risk of attack by malware that makes use of vulnerabilities in unpatched machines (such as the new Petya variant that apparently makes use of EternalBlue) is quite significant enough to make it unwise to rely on systems that are no longer normally updated, even if the agencies concerned are taking advantage of rare events like Microsoft’s XP patch in May… After all, dangers to their data, systems and internal processes don’t only affect their ‘business’ but all of us.”

The bottom line is that 10,000 XP systems still in use by the Metropolitan Police Service is really 10,000 too many.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.