A serious data leak has exposed the personal details of police officers and civilian personnel working at the Police Service of Northern Ireland (PSNI), it was confirmed on August 8.
The breach occurred following the accidental release of data within a spreadsheet following a Freedom of Information (FoI) request. This revealed the surnames and initials of current employees in the service, their rank or grade, and the location and department they work in.
This included highly sensitive areas like surveillance and intelligence, raising concerns around the safety of police officers and their families.
The list also includes individuals currently on career breaks.
The information was published on a FoI website, What Do They Know, at around 2.30pm BST on the afternoon of Tuesday 8 August. The information was shared in response to FoI request from a member of the public that asked: ‘Could you provide the number of officers each rank and number of staff at each grade?’
In addition to a numerical table, a large Excel spreadsheet document 10,799 lines long containing the sensitive information was made available in error. The spreadsheet was subsequently removed from the website two and a half hours later, at the request of the PSNI.
Senior Information Risk Owner, Assistant Chief Constable Chris Todd, emphasized that no other personal information was included in the leak, in a statement published by the PSNI.
“An initial notification has been made to the office of the Information Commissioner regarding the data breach,” he added.
“The matter is being fully investigated and a Gold structure is in place to oversee the investigation and consequences. It is actively being reviewed to identify any security issues.”
A Severe Data Breach
Addressing the incident in a press conference on August 8, Todd apologized for the leak and acknowledged it will be of “considerable concern” to serving police officers and their families.
“We’re operating in an environment at the moment where there’s a severe threat to our colleagues from Northern Ireland-related terrorism, and this is the last thing that anybody in the organization wants to hear at the moment,” he commented.
The UK government raised the threat level for Northern Ireland-related terrorism from ‘Substantial’ to ‘Severe’ in March 2023, which was due to a rise in the targeting of police officers in the region.
Speaking to Infosecurity, Jonathan Armstrong, partner at law firm Cordery, noted the “lasting consequences” of the breach on the lives of PSNI police officers. “Even if no-one comes to actual physical harm through the breach people will live – possibly forever – with the threat hanging over them,” he outlined.
Brian Honan, CEO at BH Consulting, told Infosecurity that it is probably the most serious data breach he has seen.
He explained: “The details exposed could pave the lives of the PSNI at serious risk either by criminal elements who may seek revenge against certain officers, or more worryingly the data being used by terrorists to target officers.”
Honan noted that the ability of officers working undercover or in intelligence to carry out their duties could now be severely disrupted.
The additional risk of the details of the PSNI staff being matched with data from other recent data breaches, such as the Electoral Commission attack on August 8, 2023, was also highlighted by Armstrong.
He predicted that damaging litigation action will arise from the breach. “Whilst civil actions after a data breach have had their ups and downs, we’ll certainly see threatened legal action at a time when PSNI can ill afford it. Some people promoting this litigation will try and drive a wedge between employees and employers by suggesting unrealistic levels of damages and a wide array of litigation and funding strategies,” explained Armstrong.
Stop Using Excel to Store Data
Armstrong said it is concerning that public sector organizations often make the same mistakes regarding the use of spreadsheets to contain sensitive data, despite repeated warnings from the UK’s Information Commissioner’s Office (ICO) about the risks involved. For instance, the Cabinet Office accidently published the unredacted addresses of more than 1000 people announced in the 2019 New Year Honours list.
Honan said that organizations must reevaluate how they share information with external bodies, ensuring they have working alternatives in place to allow their employees to do their job effectively.
“Too often spreadsheets are used via email, cloud sharing platforms, or as in this case being posted onto the Internet. This means any data in those spreadsheets, including the metadata, is not secured,” he commented.
Additionally, regulators need to get tougher with the financial penalties they issue for such incidents, according to Armstrong. However, in July 2022, the ICO’s Information Commissioner John Edwards signaled a fresh approach to public sector enforcement, which will likely see fewer financial penalties levied and lower sums.
Read here: Fresh Blow to PSNI Security as Second Data Breach Disclosed
Image credit: Min Jing / Shutterstock.com