Northern Ireland police may have endangered its own officers by posting details online in error
At least it was a blunder and not a hostile attack, unlike what happened to another UK public body this week
A spreadsheet containing details of serving Northern Ireland police officers was mistakenly posted online yesterday, potentially endangering the safety of officers, given the volatile politics of the region.
The data leak involved a spreadsheet detailing the surnames and initials of all serving officers in the Police Service of Northern Ireland (PSNI), plus civilian staff members. It listed their rank or grade, plus location and department in which they work, but no other personal information such as private addresses is said to have been included.
In an official statement, the PSNI said the breach resulted from information included in error in response to a Freedom of Information (FoI) request, and was taken down quickly, but the service does not appear to know whether the information in the spreadsheet was accessed while it was online.
According to The Times newspaper, the FoI request had sought a breakdown of PSNI officers and staff by rank and grade, but a full spreadsheet was included by mistake.
"Although it was made available as a result of our own error, anyone who did access the information before it was taken down is responsible for what they do with it next. It is important that data anyone has accessed is deleted immediately," said Assistant Chief Constable Chris Todd, the PSNI's Senior Information Risk Owner.
The PSNI said that an initial notification has been made to the Information Commissioner's Office (ICO) regarding the data leak, and that officers are investigating the circumstances surrounding the release of the data.
"The matter is being fully investigated and a Gold structure is in place to oversee the investigation and consequences. It is actively being reviewed to identify any security issues," Todd said.
According to The Guardian newspaper, the data was uploaded around 2:30pm and was visible to the public for two and a half to three hours. Some news reports claim that some of the details have already been shared on social media messaging groups.
We asked the PSNI if there was any indication that the spreadsheet was accessed during the time it was online, but a spokesperson told us that there was nothing further to add beyond the information available in the official statement.
This is the second significant data incident involving a notable public body in the UK this week, following the attack on the Electoral Commission disclosed yesterday, raising questions about how seriously data security is being taken by such organizations in the country.
There are differences in the two incidents, of course, as the Electoral Commission's infrastructure was infiltrated by an unknown attacker, likely a hostile state, while the PSNI data breach was due to the unintentional disclosure of sensitive information by the organization itself.
- UK voter data within reach of miscreants who hacked Electoral Commission
- Brit healthcare body rapped for WhatsApp chat sharing patient data
- Millions of people's data stolen because web devs forget to check access perms
- Medical files of 8M-plus people fall into hands of Clop via MOVEit mega-bug
However, the PSNI's mistake could have serious consequences, as the police in Northern Ireland still face threats from extremists on both sides of the region's sectarian divide, despite the signing of the Good Friday Agreement 25 years ago.
In a statement, the Chair of the Police Federation for Northern Ireland, Liam Kelly, called the incident "a breach of monumental proportions" and said an urgent inquiry is now required.
"We're fortunate that the PSNI spreadsheet didn't contain officer and staff home addresses, otherwise we would be facing a potentially calamitous situation," Kelly said.
"Inadequate or poor oversight of FoI procedures must be addressed and addressed urgently. New safeguards are obviously required to prevent this from ever happening again."
Richard Forrest, Legal Director at UK law outfit Hayes Connor, said it was concerning how a data breach of this magnitude could happen within the justice sector. "The majority of data breach cases we see are down to human error. This case is no different, highlighting the crucial need for better staff training on how to handle personal data to prevent such risks to employees," he said.
Official threat level: Severe
The official threat level from Northern Ireland-related terrorism currently stands at severe, which means an attack is considered highly likely, and is just one step down from the maximum threat level.
"This is an issue we take extremely seriously and as our investigation continues we will keep the Northern Ireland Policing Board and the Information Commissioner's Office updated," Todd said.
In a posting on Twitter*, Secretary of State for Northern Ireland Chris Heaton-Harris said: "I'm deeply concerned by the data breach involving the PSNI. My officials are in close contact with senior officers and are keeping me updated." ®
*Yes, we're still calling it Twitter.