The Police Service of Northern Ireland (PSNI) suffered a “critical incident” on August 8, after the personally identifying information for all of its employees was published online.
The “monumental” data breach occurred when data was mistakenly posted online following a Freedom of Information (FoI) request. A database, which included the surname, initials, rank/grade, role and location of more than 10,000 serving officers and staff of the PSNI was published to a “legitimate FoI site”. The data was accessible for around three hours before it was taken down.
In a statement regarding the data breach, PSNI senior information risk owner, assistant chief constable Chris Todd said that the cyber security incident was “unacceptable” and was ultimately down to “human error”.
Todd also said that the PSNI had issued updated personal security advice to its officers and staff as well as establishing an emergency threat assessment group to investigate the welfare concerns of all PSNI employees.
The group will provide general advice on safety and security in addition to immediate support “to those with specific circumstances which they believe place them or their families at immediate risk or increased threat of harm”.
It is currently unknown who has accessed the data and the data has been copied. Todd noted that “anyone who did access the information before it was taken down is responsible for what they do with it next. It is important that data anyone has accessed is deleted immediately”.
The Information Commissioner’s Office (ICO) was alerted to the breach and investigation into the cyber security incident has been launched. According to PSNI, an independent advisor will be conducting an “end to end review of [its] processes in order to understand what happened, how it happened and what [PSNI] can do immediately to prevent such a breach happening in the future”.
PSNI also said that its chief constable, Simon Byrne, will be “cutting his family holiday short and returning to Northern Ireland to attend tomorrow’s special sitting of the Northern Ireland Policing Board”.
PSNI suffers secondary data breach
On August 9, it was revealed that the PSNI is also investigating a secondary data breach that it suffered following the theft of a spreadsheet containing the names of more than 200 serving officers and staff, as well as a police-issue radio and laptop, from a private vehicle on July 6.
PSNI’s senior information risk owner, assistant chief constable Chris Todd, said the matter was being taken “extremely seriously” and that is had been reported both to the ICO and the Northern Ireland Policing Board (NIPB).