August 9th 2023
Police Service of Northern Ireland data breach
PSNI apologises for mistake that revealed names of all its 10,000 staff, their roles and where they are based – sparking security fears.
What’s being described as the worst security breach in the 22-year history of the PSNI was the result of human error but could have serious consequences for the safety of staff.
Photo by Greg Clarke
The breach was not the result of a cyber-attack but down to human error in responding to a Freedom of Information (FoI) request that asked for a breakdown of all staff ranks and grades. As well as supplying a table of this information, the response included a spreadsheet with the surnames of all 10,000 PSNI staff, their initials, roles and where they are based. This included all current serving police officers and civilian staff.
This sensitive data was published online for between two and three hours before being taken down.
Although no private addresses were included in the data break, this is an extremely serious matter. Police in Northern Ireland must already take personal security very seriously. Earlier this year, DCI John Caldwell suffered life-changing injuries after being shot by two gunmen while out with his young son one evening. Given the risks, some police keep their employment secret, even from members of their own family.
The Information Commissioner’s Office has been made aware of the incident and is investigating.
Liam Kelly, chair of the Police Federation of Northern Ireland, has called this, ‘a breach of monumental proportions.
‘Rigorous safeguards ought to have been in place to protect this valuable information which, if in the wrong hands, could do incalculable damage.’
Assistant Chief Constable Chris Todd, Senior Information Risk Owner at the Police Service of Northern Ireland, issued the following statement:
‘Police are investigating the circumstances surrounding the release of data within a spreadsheet. The data concerned contained the surnames and initials of current employees alongside the location and department within which they work. No other personal information was included. The breach resulted from information included in error in response to a Freedom of Information Request.
‘We have informed the organisation to make our officers and staff aware of the incident, appreciating the concern that this will cause many of our colleagues and families. We will do all that we can to mitigate any such concerns.
‘An initial notification has been made to the office of the Information Commissioner regarding the data breach.
‘The matter is being fully investigated and a Gold structure is in place to oversee the investigation and consequences. It is actively being reviewed to identify any security issues.
‘The information was taken down very quickly. Although it was made available as a result of our own error, anyone who did access the information before it was taken down is responsible for what they do with it next. It is important that data anyone has accessed is deleted immediately.
‘This is an issue we take extremely seriously and as our investigation continues we will keep the Northern Ireland Policing Board and the Information Commissioner’s Office updated.’
In related news:
Stricter thresholds for reporting network and information systems incidents
Leave a Reply