A review into a massive police data breach in Northern Ireland has blamed a force-wide lack of prioritisation of data security.
A report from the National Police Chiefs’ Council (NPCC) found the data breach, which saw details of all employees of the Police Service of Northern Ireland (PSNI) accidentally published online, was not the result of a “single isolated decision, act, or incident by any one person, team, or department”.
Instead, the review found that “it was a consequence of many factors, and fundamentally a result of PSNI as an organisation not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risk earlier on, or to do so in an agile and modern way.”
It added: “The need to better prioritise data, information, and cybersecurity, is not recognised at a strategic level or adequately driven by executive leaders.
“There is no force programme or strategy.”
The review found within the PSNI “there is little importance granted to essential organisational data functions and they are delivered using a ‘light touch’ approach”.
What happened?
On 8 August, the personal information of almost 9,500 police officers and civilian staff were accidentally published as part of a Freedom of Information (FOI) response, in what the NPCC described as “the most significant data breach that has ever occurred in the history of UK policing”.
The FOI request had sought the number of officers at each rank, but the PSNI accidentally included the surname, first initial, workplace location and unit of every serving police officer and civilian staff member, full and part-time.
The data was available publicly for around two and half hours before being removed.
Please use Chrome browser for a more accessible video player
1:45
How did it happen?
The NPCC review found six unnamed PSNI employees handled the processing of the FOI request, before it was released with the additional source information included.
The terms of the review meant it could not apportion blame to individuals.
Outrage and resignations
With the terror threat level in Northern Ireland raised to “severe” earlier this year, following the dissident shooting of senior officer John Caldwell, PSNI officers and staff were outraged at the breach.
It was seen as a major contributory factor to the resignation of chief constable Simon Byrne a month later.
Please use Chrome browser for a more accessible video player
1:13
MPs were told Catholic police officers had asked if they should start bringing guns to mass following the breach, which was estimated to potentially cost the police service up to £240m, including the potential cost of litigation.
The NPCC review team said affected officers “expressed distress, sadness and dismay”, and 4,000 of them contacted the PSNI’s threat assessment group.
“Officer and staff mental health in particular has worsened”, with one resignation and 50 reported sickness absences blamed on the data breach.
Another officer relocated “to keep themselves and their family safe”.
Read more tech news:
TikTok’s Tube Girl on rapid rise to fame
Elon Musk fact-checked by his own system
Russia’s secretive ‘Iron Frontier’ targeting the UK
The report also recommended that the PSNI should consider creating a role akin to a chief data officer, establish a data board, carry out regular audits of data functions, and replace data loss prevention software.
The PSNI and the Information Commissioner’s Office are both carrying out investigations into the data breach.