‘Monumental’ Data Breach Exposes Northern Ireland Police Officers

Every police officer in Northern Ireland has had their names and departmental locations exposed in a self-inflicted data breach

A senior officer at the Police Service Of Northern Ireland (PSNI) has apologised after a self inflicted data breach exposed the names and ranks of every serving officer in the province.

According to the PSNI, the breach occurred after the surnames and initials of current police officers, and civilian staff members, alongside the location and department they work in, were mistakenly released in a spreadsheet in response to a Freedom of Information Request (FoI).

The data breach could have potentially become a life-threatening situation, given Northern Ireland’s history of terrorist attacks. However the PSNI said no other personal information was released, such as the home or private addresses of police officers.

Whistleblower leak keyboard security breach © CarpathianPrince Shutterstock

PSNI data breach

The admission of the breach came in a statement from PSNI’s Senior Information Risk Officer, Assistant Chief Constable Chris Todd.

“Police are investigating the circumstances surrounding the release of data within a spreadsheet,” said Todd. “The data concerned contained the surnames and initials of current employees alongside the location and department within which they work. No other personal information was included. The breach resulted from information included in error in response to a Freedom of Information Request.”

“We have informed the organisation to make our officers and staff aware of the incident, appreciating the concern that this will cause many of our colleagues and families,” said Todd. “We will do all that we can to mitigate any such concerns.”

“An initial notification has been made to the office of the Information Commissioner regarding the data breach,” Todd added. “The matter is being fully investigated and a Gold structure is in place to oversee the investigation and consequences. It is actively being reviewed to identify any security issues.”

Todd then underscored the potential risks associated with this self-inflicted data breach.

“The information was taken down very quickly,” said Todd. “Although it was made available as a result of our own error, anyone who did access the information before it was taken down is responsible for what they do with it next. It is important that data anyone has accessed is deleted immediately.”

“This is an issue we take extremely seriously and as our investigation continues we will keep the Northern Ireland Policing Board and the Information Commissioner’s Office updated,” Todd concluded.

What happened?

The Guardian reported that the police data had been uploaded at 2.30pm on Tuesday, and was taken down three hours later.

Chris Todd apologised to PSNI officers and said the severe terrorist threat facing officers has made news of the extensive data breach the “last thing that anybody in the organisation wants to be hearing”, the Guardian reported.

“Regrettably, this evening, I’ve had to inform the Information Commissioner’s Office of a significant data breach that we’re responsible for,” Todd was quoted as saying. “We’ve responded to that (FoI) request, which was seeking to understand the total numbers of officers and staff at all ranks and grade across the organisation, and in the response, unfortunately, one of our colleagues has embedded the source data, which informed that request.”

“So, what was within that data was the surname, initial, the rank or grade, the location and the departments for each of our current employees across the police service,” said Todd.

“We believe it was uploaded about 2.30pm this afternoon,” he was quoted as saying. “It came to my attention as the senior information risk owner at about 4pm, with the co-operation of the host provider it was taken down within the hour.”

Monumental breach

The Guardian reported that the chair of the Police Federation for Northern Ireland has called for an urgent inquiry.

Liam Kelly reportedly said: “This is a breach of monumental proportions.”

“Even if it was done accidentally, it still represents a data and security breach that should never have happened,” Kelly reportedly said. “Rigorous safeguards ought to have been in place to protect this valuable information which, if in the wrong hands, could do incalculable damage.

“Inadequate or poor oversight of FoI procedures must be addressed and addressed urgently,” said Kelly. “New safeguards are obviously required to prevent this from ever happening again.”

The Police Service of Northern Ireland was formerly known as the Royal Ulster Constabulary (RUC) until 2001.

During the Troubles, the RUC suffered 319 police officers killed and almost 9,000 injured in paramilitary assassinations or attacks by Republican terrorists.

So far two PSNI police officers have been killed by terrorist attacks.