On 8 August 2023, a Police Federation for Northern Ireland (PSNI) employee replied to a Freedom of Information (FOI) request, accidentally exposing the personal details of over 10,000 staff. The data, including police officers’ surnames, locations and departments, was contained in a hidden table available online for anyone to see for over two hours.
The next day, another breach of sensitive police data came to light. Back in July, a laptop containing documents, including a PSNI spreadsheet listing the names of 200 officers, had been stolen from a car in Newtownabbey, County Antrim.
Then, on 10 August, it emerged that dissident republicans claimed to have copies of the leaked information, which had been circulating on secure messaging app WhatsApp.
In Northern Ireland’s deeply troubled political climate, the PSNI breaches show the very real and stark risk of exposing personal data. Terrorists are active in the region, with the threat level rated as “severe”, meaning an attack is highly likely.
Following the PSNI incident, the Police Federation for Northern Ireland (PFNI), which represents rank-and-file officers, said it was “inundated with calls from worried officers”. The PFNI demanded an “urgent inquiry” following the breach and theft of a laptop.
On the surface, the breach resulted from a simple mistake, but the consequences are still being felt by PSNI staff and their families. How well did the organisation handle the incident, what could it have done better, and what was the actual cost of that security failure?
Experts have mixed views about how well the PSNI breach was responded to and handled.
The general consensus is that “this matter was not handled well by the PSNI”, says Jonathan Jackson, legal director at Gateley Legal. “The first breach was not the case of one human error, but multiple mistakes, pointing to systemic failings with data protection procedures and management.”
“The first breach was not the case of one human error, but multiple mistakes, pointing to systemic failings” Jonathan Jackson
While it was a “bad” data breach, Ian Thornton-Trump, CISO at Cyjax, believes it was handled well in the aftermath. He refers to the official statements, pointing out that the sensitive information was only exposed for around two hours. In addition, he calls the PSNI statement “exceptionally transparent and factual”, pointing out there was “no traditional data breach gaslighting”.
However, Thornton-Trump also concedes that some aspects of the PSNI data breach are “a bit troubling”.
For example: “Despite the two-hour exposure, no word has been given on how many times the information was accessed, or where those who did the accessing might have been located.”
The PSNI demonstrated good communication and cooperation with the Information Commissioner’s Office (ICO) once the incident was revealed. However, it’s impossible to ignore the “magnitude of the incident” and the “impact it may have given the sensitive nature of the information leaked”, says Rick Goud, CIO and founder of security firm Zivver. “Even seemingly minor human errors can lead to major consequences,” he warns.
Experts agree the PSNI breach should never have happened. The worst thing about the leak is that it could have been prevented if a couple of simple controls had been implemented, says Robert Wassall, director of legal services at NormCyber. “Adequate staff data protection awareness training would have been the most obvious preventative action. But equally, documents can be marked ‘highly sensitive’ and password-protected, and certain information can be encrypted.”
It is important to ensure proper training for all staff involved in the responsibilities under the data protection legislation, the EU update to General Update To Data Protection Regulation (GDPR) and the UK Data Protection Act, says Jackson.
It makes sense to only give staff access to the data they need – in security terms, this is known as ‘least privilege’. Firms should also take advantage of an audit capability to “know who saw what and when”, Thornton-Trump says.
He suggests adding a security warning to alert staff when sensitive data is contained in a document. “This is a very applicable security control and it would be interesting to know if the exposed spreadsheet had any security markings on it.”
The PSNI breach also shows how important it is to have controls in place for data sharing. This can mean requiring a senior colleague to authorise sharing or prohibiting sharing without a check by a second person, says Thornton-Trump. “In the absence of these controls, it’s easy to see how costly mistakes can occur.”
According to Jackson, practical steps and common sense can help prevent these types of breaches from taking place. “Password protection of important documents, proper processes of approval and supervision before the release of data all help to reduce the risk of a large data protection breach.”
While the fallout following the incident is evident and hard to overstate, the true cost of the PSNI breaches is difficult to comprehend. On top of the inevitable resignation of PSNI Chief Constable Simon Byrne are the human consequences for the police workers and their families whose details were exposed in the leak.
The real cost is the “potential worry, anxiety and stress” caused to the officers and staff members involved, says Jake Moore, global cybersecurity advisor at ESET. “Once data is released online, it can never be placed back under wraps, which means this problem is far from over. However, the positive that must be salvaged from this calamity is that all police forces will be scrambling around to ensure the error is never repeated.”
“Sadly, we will never really know the impact until officers or their families suffer a tragedy” Ian Thornton-Trump
The literal financial cost of the breaches is also adding up. It was confirmed to the Northern Ireland Affairs Committee that the first breach alone may reach £240m in security and legal costs. Meanwhile, the costs associated with litigation arising from the breaches are estimated to reach an additional £180m, Jackson points out.
The publication of this type of sensitive information is “a matter of life and death”, says Thornton-Trump. “Sadly, we will never really know the impact until officers or their families suffer a tragedy. The right information in the wrong hands can lead to very serious results.”
While it is unclear whether the police force will face fines following the incident, the data breach has raised concerns about the overall safety of PSNI officers and staff given the unrest in Ireland, says Goud. “Cases could be compromised, which could further impact victims of crime. There is also the potential for wider consequences if the data is obtained by malicious actors who can use it as part of ransomware demands.”
Then, there is the long-term loss of trust from the general public. “Many people believe, without question, that the police will keep them safe. Incidents like this can damage that faith, sometimes irrevocably,” Goud says.
Self-publishing such sensitive information is “one of the biggest blunders the police have ever made”, says Moore. However, he adds that it “shines a huge spotlight” on the fact that human error is “so easily possible”.
It was a serious incident that is still having knock-on human consequences. But it shows how important it is to have proper checks in place when sharing sensitive data, ensuring staff are trained to safeguard all information.