Northern Ireland cops count human cost of August data breach
Officers potentially targeted by dissidents can't afford to relocate for their safety, while others seek support to change their names
An official review of the Police Service of Northern Ireland's (PSNI) August data breach has revealed the full extent of the impact on staff.
The incident, which affected 9,483 officers, was branded "the most significant data breach that has ever occurred in the history of UK policing" by Commissioner Pete O'Doherty of the City of London Police, and the damage is said to be "unquantifiable."
The review lays bare the broad impact on staff in Northern Ireland, detailing how various officers have been forced to relocate out of fear for their safety.
Staff safety was one of the primary concerns when the breach was first disclosed, given that the identities of every serving PSNI officer were leaked online for more than two hours.
The Northern Irish police force considers itself particularly vulnerable to disclosure issues, and usually identities of its police officers are closely guarded due to the ethno-nationalist conflict that has raged on the island of Ireland for decades. Sectarian violence was largely dampened after paramilitaries laid down arms following the signing of the Good Friday Agreement in 1998, but strong feelings and occasional outbreaks of violence persist.
At the time of the data breach disclosure, the PSNI said no staff members were being relocated, but the review revealed that one officer decided to relocate themselves and their family out of concern for their safety.
The following months saw an undisclosed number of officers also decide to relocate for the same reason. There are more that would like to relocate, according to internal reporting, but don't have the financial means to do so. This particularly applies to junior and younger members of staff.
More than 50 sickness absences have been reported, specifically citing the incident as the cause for ill health, and some have largely withdrawn from their social lives, refusing to see family or friends due to safety fears.
Staff well-being services are currently stretched with the number of officers seeking support as a result of a force-wide decline in mental health. Staff are unable to access the support they need in a timely manner and aren't able to access private health services due to financial pressures.
A number of officers also reportedly sought PSNI support with name changes but were told this was an unnecessary step.
A single resignation was issued in relation to the breach, though it's not understood if this references the resignation of former police chief Simon Byrne or another officer.
The review highlighted that despite the significant impact the incident has had on the force, staff responses to it were varied. While some expressed distress, sadness, and dismay, many others "displayed a strong resolve to continue serving the communities of Northern Ireland and keeping them safe."
More than 4,000 staff members contacted the threat assessment group assembled by the PSNI for support and information. A similar number are thought to be part of a complaint issued to the Information Commissioner's Office (ICO) and a civil case against the force.
Operational impact on the PSNI is also thought to be significant, with costs expected to be in the region of £24-37 million ($30-46.5 million) – a sum the PSNI could not afford due to other financial constraints. The total costs encompass factors such as home security, litigation, and a potential regulatory penalty.
The threat to the force's ability to recruit and retain staff is also thought to be a particular concern, something that even before the data breach was considered an important issue, especially among "certain communities."
"There is a risk to the free flow of intelligence, the lifeblood of policing, if those providing it cannot be reassured that they can do this in confidence," wrote O'Doherty. "Staff associations also articulated that even those amongst them who have thus far felt reasonably comfortable standing up for progress and their beliefs now feel less so.
"Of particular concern is the lasting impact and potential for future exploitation of the information if the page is turned too quickly, or lessons are not taken seriously or change fully embedded."
Data protection failings
The review highlighted a litany of issues surrounding the force's approach to data protection and the Northern Ireland Police Board's (NIPB) role in holding the PSNI's chief constable to account for the delivery of its services.
A number of audits have been ordered to investigate information security and data protection controls, but some have been delayed or canceled, and the scope of the audits has been limited.
Those that have taken place have found adequate assurances in these areas, though the ICO's audit, carried out separately, suggested there was a lack of oversight within the organization as regards data protection.
A GDPR audit in 2019 gave a "satisfactory" rating pending the completion of tasks within 12 months, but some still remain incomplete today.
Generally, the PSNI has been "slow to adapt" to updated data protection regulation, the review noted, and in 2021 the implementation of the Data Protection Act 2018 was still "far from complete."
- Yet another UK public sector data blab, this time info of pregnant women, cancer patients
- Home of the world's longest pleasure pier joins public sector leak club
- Irish cops data debacle exposes half a million motorist records
- Northern Ireland's top cop quits after security breach, disciplinary controversy
Some progression has been made since then, but O'Doherty said this progress could be seen as either "optimistic" or "overstated." For example, obligations regarding data protection impact assessments (DPIAs) are not being met, but have been marked green – one of a number of areas that are marked positively despite the official status being "to be completed."
DPIAs were highlighted by the ICO as an area in need of attention, especially given the police's arsenal of intrusive tools, such as automatic number plate recognition (ANPR), bulk and sensitive information sharing, facial recognition, internet search tools, and algorithmic risk assessment tools.
Among the various recommendations made to the PSNI to improve its data protection, the embedding of DPIAs within projects was highlighted as a key measure that must be taken.
The Data Protection Act 2018 also mandated the creation of a data protection officer (DPO) within organizations, but the establishment of this role within the PSNI has been delayed through periods of having an interim DPO and no DPO at all.
The role also has no direct reporting mechanism to senior management – also a legal requirement.
"With the significant threats facing policing by external cyber threat actors, we can't allow ourselves to be vulnerable from within and must do everything in our power to protect our data, information, and infrastructure, and give our staff and members of the public, the absolute confidence and trust that we will protect their information," said O'Doherty.
"In order to achieve this, we must foster a more modern and robust approach to information management and security, and ensure we have the leadership, governance, structures, and systems in place to protect the institution of policing and everyone who is part of it and affected by it.
"This report not only serves to highlight how the breach occurred and what measures must be taken to prevent this from ever happening again, it is a wakeup call for every force across the UK to take the protection and security of data and information as seriously as possible and in this way, many of the recommendations in this report may apply to many other police forces."
Responding to the review's publication, PSNI chief constable Jon Boutcher said: "The report highlights the fact that the breach that occurred was not a result of a single isolated decision, act nor incident by any one person, team or department, but more, a result of the PSNI as an organization not better seizing opportunities to better and more proactively secure and protect its data, and identify and prevent risk earlier on, in an agile and modern way.
"The Service Executive Team will now take time to consider the report and the recommendations contained within it. We have already taken action on one of the recommendations and the role of SIRO (Senior Information Risk Owner) has been elevated to the post of Deputy Chief Constable. This will ensure that information security and data protection matters will be immediately visible to the Deputy Chief Constable, Chief Operating Officer, and Chief Constable and they can be afforded the support and attention they critically deserve.
"We will work with the Northern Ireland Policing Board to consider the implications of the Report and a timeframe for the completion of relevant actions that have been identified." ®