Norfolk and Suffolk police admit to data breach impacting 1,230 people

Two UK police forces have admitted to a data breach caused by a “technical error” that saw the personally identifying information of victims, witnesses and suspects mistakenly posted online following Freedom of Information (FOI) requests.

Norfolk and Suffolk police admitted on August 15 that the data of 1,230 people was included in files published to the internet following FOI requests. This included the sensitive data of those who were victims and witnesses of or suspects in cases including assaults, sexual offences, thefts, hate crimes and domestic abuse incidents. 

The data was released via FOI requests for crime statistics between April 2021 and March 2022. According to Norfolk and Suffolk police, the data published included “personal identifiable information on victims, witnesses, and suspects, as well as descriptions of offences”. 

According to Norfolk and Suffolk police, the data was published due to a “technical issue” which “led to some raw data belonging to the constabularies being included within the files produced in response to the FOI requests in question. The data was hidden from anyone opening the files, but it should not have been included”.

The police forces have apologized for the mishandling of the data, and said that there is “nothing to suggest” that the data was accessed by anyone outside of policing, however the investigation into the breach is ongoing. The Information Commissioner’s Office has also launched a formal investigation into Norfolk and Suffolk police.

Assistant chief constable of Suffolk Police, Eamonn Bridger, said regarding the cyber security incident: “We would like to apologize that this incident occurred, and we sincerely regret any concern that it may have caused the people of Norfolk and Suffolk.  

“I would like to reassure the public that procedures for handling FOI requests made to Norfolk and Suffolk constabularies are subject to continuous review to ensure that all data under the constabularies’ control is properly protected.”

Norfolk and Suffolk police said they will be contacting all those impacted by the data breach, in addition to setting up a dedicated team to answer any queries regarding the cyber security incident. 

This news follows that of the Police Service of Northern Ireland, who mistakenly published the personal information of all of its employees online following a FOI request.