The Police Service of Northern Ireland (PSNI) is today rushing to contain and explain a major data breach that saw a spreadsheet containing the surname, initial, rank, location and department of every serving officer and civilian staff member posted and shared online.
The data breach was a botched response to a Freedom of Information (FoI) request from a member of the public who had wanted a breakdown of staff rank and grades but was instead provided with a much larger dataset. This was published on FoI website What Do They Know for approximately two to three hours on the afternoon of Tuesday 8 August prior to being removed. It is not known how many people may have accessed it during this time.
PSNI assistant chief constable and senior information risk owner (SIRO) Chris Todd said: “Police are investigating the circumstances surrounding the release of data within a spreadsheet.
“We have informed the organisation to make our officers and staff aware of the incident, appreciating the concern that this will cause many of our colleagues and families. We will do all that we can to mitigate any such concerns.
“An initial notification has been made to the office of the information commissioner regarding the data breach.
“The matter is being fully investigated and a Gold structure is in place to oversee the investigation and consequences. It is actively being reviewed to identify any security issues.
“The information was taken down very quickly. Although it was made available as a result of our own error, anyone who did access the information before it was taken down is responsible for what they do with it next. It is important that data anyone has accessed is deleted immediately,” he said.
“This is an issue we take extremely seriously and as our investigation continues we will keep the Northern Ireland Policing Board and the Information Commissioner’s Office updated,” added Todd.
The breach is of particular concern given the service’s troubled past, which has resulted in a situation where the risk to staff members is not that their data will be used by cyber criminal gangs for phishing and fraud, but by armed paramilitary organisations.
The successor organisation to the much-maligned Royal Ulster Constabulary (RUC) – described by Irish Republicans as a militarised police force – the PSNI was formed 22 years ago as a reformed organisation, following the recommendations of the Independent Commission for Policing in Northern Ireland established under the Good Friday Agreement.
In the intervening years, the service has done much to address and account for its predecessor’s role in the Troubles, and has implemented affirmative action policies to bring in more personnel from a Catholic background.
However, given its difficult past, and continued security threats and actions from dissident groups both Republican and Unionist – a senior officer who led investigations into paramilitary groups was ambushed and shot in Omagh, County Tyrone, earlier this year – the worry is that the release of data on the service’s personnel will put them at risk of harm from such groups in future.
Speaking to the BBC, the Ulster Unionist Party’s Mike Nesbitt said that given the extent of the security threat, many PSNI staff still did not tell all their family members what they did for a living. In one case, he said, an officer had not been able to visit his mother in her own home for a decade due to the potential threat to the family’s safety.
Nesbitt, who sits on the Policing Board that oversees the PSNI, which is to hold an emergency meeting on the breach on Thursday, said: “It is imperative that officers, staff, and their families and friends understand how seriously this breach is being taken and that the board is determined to fulfil its oversight and challenge functions appropriately.
“There are several issues here. First, ensuring those who now feel themselves at risk are given a realistic assessment of the implications of the data breach. Second, why was there no ‘fail safe’ mechanism to prevent this information being uploaded. Third, there is the question of whether it was a genuine mistake, and here, the principle of innocent until proven guilty applies.
“I view this like a serious incident when people are seriously physically injured. The priority is to assist the injured. Only after that do you turn to examine the other issues. In other words, my thoughts are with those whose names have been released into the public domain, who had a reasonable expectation this would never happen,” he said.
Alliance Party leader and former justice minister Naomi Long described the data breach as being of “profound concern” to officers, staff and their families, who would be feeling “incredibly vulnerable and exposed”.
“Immediate action must be taken to offer them proper information, support, guidance and necessary reassurances regarding their and their families’ security,” she said.
“Whilst the personal data has now been removed, once such information has been published online, it leaves an indelible footprint. That such sensitive information could ever have been held in a manner open to such a breach is unconscionable and will require serious investigation; however, the most urgent issue is supporting those whose security has been compromised.”
Sinn Féin policing spokesperson Gerry Kelly added: “This was an unprecedented data breach which could have put the lives of many police officers, staff and their families in danger.
“While no addresses were given surnames, ranks and locations were provided in a table and a spreadsheet. We need to know how this breach occurred.
Kelly added: “I will be asking why safeguards were not in place to prevent such a breach happening and how quickly measures can be put in place to ensure it won’t happen again.
“In circumstances where the level of threat is at severe after the attempted murder of DCI John Caldwell, there will be huge concern among members of the PSNI and their families and the wider community at this revelation,” he said.