A British from its online forms to servers unencrypted.
Some of the data was hugely sensitive and contained personal information about child abuse cases.
The British privacy watchdog, the Information Commissioner's Office (ICO), received a complaint that after it was noticed the security gaffe on the Child Exploitation and Online Protection Centre (CEOP) website.
The ICO said it did not have evidence that the information was compromised, and added the CEOP had to improve its data handling practices.
“They discovered that the website’s reporting page was insecure, meaning that any information would be transmitted over the internet in an unencrypted format in clear text,” the ICO said.
“Investigations revealed that this had been the case for several months, and the fault had not been identified either during initial testing of the new website, or in the following months. Several other website security weaknesses subsequently came to light.”
CEOP played down the seriousness of the situation, highlighting the fact that no information has been compromised.
“Members of the public are each day visiting ceop.police.uk to make reports about suspected sexual exploitation of children or to find helpful advice and guidance,” a CEOP spokesperson said.
"There is no evidence to suggest that any such reports have, in any way, been compromised."
“CEOP took action to put things right immediately after we knew there was the hypothetical potential for this to be compromised and have taken on board with immediate effect all the recommendations to ensure our site is not only secure, but meets the highest standards.”