Data containing surnames and initials of more than 10,000 current employees of the Police Service of Northern Ireland (PSNI), along with location and department information, have been leaked, according to analysis by Julian O’Neill, the BBC’s NI home affairs correspondent. It is believed to be the worst data breach in the organisation’s 22-year history.
The “monumental” data breach followed an error in response to a Freedom of Information (FoI) request, where the information was published online for almost three hours.
Senior Information Risk Owner, Assistant Chief Constable Chris Todd, said: “The information was taken down very quickly. Although it was made available as a result of our own error, anyone who did access the information before it was taken down is responsible for what they do with it next. It is important that data anyone has accessed is deleted immediately.”
“This heaps further additional pressure on the PSNI to produce credible explanations around data security protocols and the impact on officer safety.”
Liam Kelly, Chair, Police Federation for Northern Ireland
The FoI request had asked the PSNI to do a breakdown of all its staff rank and grades. However, when the PSNI shared the information, the force also included a spreadsheet with the additional data, which also included 40 PSNI officers based at MI5 headquarters.
“This is an issue we take extremely seriously and as our investigation continues we will keep the Northern Ireland Policing Board and the Information Commissioner’s Office updated,” Todd added. He also called the error unacceptable.
Officers concerned over safety
In the aftermath of the breach, many officers have expressed concerns over their safety. “We have neighbours who don’t know what we do and when we got a childminder we didn’t tell her for ages what it was we did,” one serving officer told the BBC.
Todd said: “As a service we are acutely aware of the seriousness of this breach and have declared it to be a critical incident. We fully understand the very real concerns being felt by our colleagues and their families and we are working hard to do everything we can to mitigate any risk. We are working with our security partners and organisations to investigate this incident.”
The Northern Ireland Secretary Chris Heaton-Harris also said that he was “deeply concerned by the data breach” and that senior PSNI officers were keeping him updated.
Social Democratic and Labour Party leader Colum Eastwood tweeted: “The level of incompetence involved here is staggering. So dangerous.”
“We have neighbours who don’t know what we do and when we got a childminder we didn’t tell her for ages what it was we did.”
Anonymous serving officer
The Information Commissioner’s Office (ICO) has also been contacted to investigate the breach. “Whilst this is a matter of serious concern, we do not yet know the extent to which the personal information was accessed during the time it was exposed,” said John Edwards, the Information Commissioner. He emphasized the importance of keeping data safe.
“The incident demonstrates just how important it is to have robust measures in place to protect personal information, especially in a sensitive environment.”
Spreadsheet stolen from car
A day after the breach, it also emerged that the police are investigating another data breach after a spreadsheet naming more than 200 serving officers and staff, a laptop and radio were stolen from a senior officer’s car in Newtownabbey in July.
“This confirmation by the Service makes matters worse. Clearly, urgent answers are required. How did this happen? What steps were put in place to advise and safeguard so many colleagues?” said Liam Kelly, Chair of the Police Federation for Northern Ireland.
“The major security breach was bad enough, but this heaps further additional pressure on the PSNI to produce credible explanations around data security protocols and the impact on officer safety.”
Going forward, the PSNI said that their investigation into the big data leak is ongoing, and that it has sought the assistance of an Independent Adviser to conduct an end-to-end review of their processes to understand how it happened and what they can do to prevent future breaches.