London's Metropolitan Police is still using Windows XP on over 35,000 of its machines, despite the operating system being 14 years old.
Widespread support for Windows XP ended in April 2014, which brought concerns that systems would become a security issue as new vulnerabilities were discovered only to remain unpatched by Microsoft. This applied to lots of things, from ATMs to government computers.
"We have currently got 35640 Desktop and Laptop computers running windows XP across all departments within the MET [Metropolitan Police]," reads the response to a Freedom of Information request filed by Motherboard.
Motherboard also asked for a breakdown of how many Windows XP machines are in each department, but an answer to this was not possible. "This is because many systems are shared and do not necessarily belong to an individual. MPS [Metropolitan Police Service] colleagues are able to hot desk between buildings. Therefore this information you seek is not held," the response explained.
Microsoft has found a temporary solution for institutions and companies that weren't ready to make the upgrade from Windows XP before support ended. This comes in the form of Custom Support Agreements: tailor-made deals for Microsoft to provide the respective companies with security patches and other updates for the aging operating system.
"The MPS have a Microsoft Custom Support Agreement (CSA) in place for Windows XP, that will continue to support the MPS environment," a Metropolitan Police spokesperson told Motherboard in an email.
"This will provide the support required to allow the deployment of the Next Generation Desktop on the MPS Estate which will ensure reduced risk as we exit XP from our estate," the spokesperson continued. The Metropolitan Police did not immediately respond to follow-up questions, including when the force expects to stop using Windows XP. PC World reported that the UK government paid Microsoft £5.5 million (around $8.3 million) for a year of extra support last year.
But even with this support, the Met's systems are still more vulnerable than they would be with some that are more up to date.
"It's a high risk, and it's certainly one that is increasing over time," Darien Kindlund, Director of Threat Intelligence at cybersecurity company FireEye told me. "We're now about a year after the official XP end-of-life date, so the fact of the matter is that as time progresses, attackers will have more and more pathways to compromising these kinds of legacy operating systems."