Over 9,000 cybercrime reports filed by UK citizens have sat inside a police database without being investigated after security software mistakenly identified them as containing malicious code and placed them in quarantine.
All the quarantined reports came from Action Fraud, an official UK police website where victims can report fraud and cybercrime.
According to an audit published this week by the HMICFRS (Her Majesty's Inspectorate of Constabulary and Fire & Rescue Services), thousands of these reports never reached police officers.
Instead, the software that scanned submissions for malware mislabeled incoming reports and set them aside, never reaching any human operator.
The issue was tracked down to an October 2018 update of the Know Fraud system that receives the reports from the Action Fraud website and then hands them over to the National Fraud Intelligence Bureau (NFIB), a database run by the City of London police.
The bug was discovered in April 2019, when the HMICFRS began an audit of UK's police response to cyber-dependent crime.
Over 9,000 reports were found quarantined in the NFIB database at the time. The number was eventually taken down to 6,500 by July 2019, as London police sorted through the backlog.
"At the time of our inspection City of London Police told us that they were actively working to solve this problem," the HMICFRS said in its audit published today.
A London police spokesperson told the Guardian that the issue was linked to an IBM system and that they're working with the vendor to address the issue.
Officers are now belatedly contacting victims to acknowledge reports and follow through on inquiries.
Overall, with a few isolated incidents, the HMICFRS report [PDF] found that UK police have "a well-established national strategy for dealing with the threat from cyber-dependent crime" with "efficient working arrangements between law enforcement agencies."