The Police Service of Northern Ireland (PSNI) has disclosed a significant data breach that exposed information on all serving police officers. The breach occurred in response to a Freedom of Information (FoI) request from a member of the public relating to officer rank and staff grades. An error led to the sharing of a large Excel spreadsheet containing the surnames and initials of current employees alongside the location and department within which they work. “Police are investigating the circumstances surrounding the release of data within a spreadsheet,” read a PSNI statement.
The breach came on the same day as it was revealed that the UK’s election watchdog the Electoral Commission failed to discover a system hack for 15 months. The attack, which occurred in August 2021, exposed access to registers that contained the names and addresses of anyone in the UK who was registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters. Those responsible for the attack remain unknown and the commission said no groups or individuals have claimed responsibility for the breach.
Incident under investigation, ICO has been informed
The PSNI said it has informed the organisation to make officers and staff aware of the incident, recognising the concern it will cause many of its colleagues and families. An initial notification has been made to the office of the Information Commissioner (ICO) regarding the data breach, it added. “We will do all that we can to mitigate any such concerns,” the PSNI stated.
The matter is being fully investigated and a “gold structure” is in place to oversee the investigation and consequences, according to the PSNI. “It is actively being reviewed to identify any security issues.”
Although the information was made available because of an error, anyone who did access the information before it was taken down is responsible for what they do with it next, the PSNI warned. “The information was taken down very quickly. It is important that data anyone has accessed is deleted immediately.” The PSNI will continue to investigate the incident and will keep the Northern Ireland Policing Board and the ICO updated, it said.
Data breach “unacceptable” amid Northern Ireland’s terrorism threats
Speaking in a press conference shortly after the breach was discovered, assistant chief constable Chris Todd said the error was unacceptable. “We operate in an environment, at the moment, where there is a severe threat to our colleagues from Northern Ireland-related terrorism and this is the last thing that anybody in the organisation wants to be hearing this evening,” he said. “I owe it to all of my colleagues to investigate this thoroughly and we’ve initiated that.”