The most significant data breach that has ever occurred in the history of UK policing was due to force-wide security failings and a “light touch approach” to data protection.
In August 2023, the Police Service of Northern Ireland (PSNI) suffered from a cyber incident that resulted in 9483 police officers and civilian staff having their personal data exposed.
The breach occurred following the accidental release of data within an Excel spreadsheet following a Freedom of Information (FOI) request. This revealed the surnames and initials of current employees in the service, their rank or grade, and the location and department they work in.
An independent review of the event was requested by PSNI and the Northern Ireland Policing Board (NIPB). The team that conducted the review, led by NPCC Information Assurance lead and the Commissioner of the City of London Police, Pete O’Doherty, presented their results to PSNI and NIPB on December 11, 2023.
The report found that a tab containing the sensitive information regarding officers and staff had been hidden in a spreadsheet and not noticed by six staff members before it was released in the FOI.
Where Did the PSNI Security Fail?
The breach did not result from a "single isolated decision, act, or incident by any one person, team, or department,” according to the report.
Instead, the review said: “It was a consequence of many factors, and fundamentally a result of PSNI as an organization not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risk earlier on, or to do so in an agile and modern way."
The review noted that PSNI was adopting a “light touch approach” to data protection and security, having no strategy in that regard.
Additionally, the 2018 Data Protection Act had not yet been fully embedded within the force and that this implementation process may have been "optimistic" or "over-stated."
"Obligations in relation to Data Protection Impact Assessment (DPIAs) are not being met, yet this is recorded as ‘green’ and information sharing requirements not being met are identified as 'amber.’ The report subject of the data breach did not have a classification applied. The presence of an OFFICIAL-SENSITIVE (or higher) marking could have prompted PSNI personnel to handle the information differently,” reads the review.
Finally, the review found that there seemed to be "a lack of recognition of the breadth of the role of data protection officer (DPO), [who has] no direct reporting mechanism to the most senior level of the organization – which is a legal requirement."
A Wake-Up Call For Every Police Force in the UK
In his foreword to the report, O’Doherty said the event was “a wakeup call for every force across the UK” to take the protection and security of data and information seriously. He added that many of the recommendations in the report may apply to many other police forces.
The investigating team added that, based on the information provided, the data breach was not the result of a credible threat being made against PSNI.
The cyber incident led to the resignation of Chief Constable Simon Byrne a month later and more than 50 sickness absences.
Over 4000 PSNI employees, including civilians and police officers, are taking legal action against the force. The litigations could cost PSNI from £24m to £37m.
During a press conference, PSNI Chief Constable Jon Boutcher said the report was “difficult reading,” adding “I accept and embrace the learnings within it.”
Read more: Fresh Blow to PSNI Security as Second Data Breach Disclosed
Top Eight Security Recommendations for PSNI
The NPCC review outlined 37 recommendations, including some that were kept private for security reasons.
Some of the public recommendations include:
- Record strategic risks related to cyber and data value maximization and compliance, including its use in innovative technologies.
- Ensure regular audits of data functions take place, considering cooperation with other specialists within policing or the public sector.
- Reposition the senior information risk owner (SIRO) at a Deputy Chief Constable level. The SIRO should also establish a force-level Data Board, including clear terms of reference and attendance by Information Asset Owners (IAOs), data business area leads, and other business areas such as digital and corporate change.
- Consider introducing a specialist role akin to a chief data officer overseeing and coordinating data functions.
- Review the DPO's role, carefully considering statutory requirements, reporting lines, adequate resourcing, accountability functions and risk management.
- Document the FOI process in one standard operating procedure, streamlining and de-duplicating all associated documentation.
- Conduct a data maturity assessment with urgency to understand the organizational position and develop a program of work, continuously improving and coordinating existing services and building new capabilities, including data governance and data ethics.
- Consider an executive-level sponsored organizational awareness campaign, including explaining the value of FOI, the message that information security and management is everyone’s job, and of the importance whilst on and off duty.
Boutcher said that a Data Board is being established, as recommended by the review.