The largest ever data breach in British police history was due to force-wide security breaches and a “light approach” to data protection.
In August 2023, the Police Service of Northern Ireland (PSNI) suffered a a cyber incident this resulted in 9,483 police and civilian personnel having their personal data exposed.
The breach occurred following the accidental disclosure of data in an Excel spreadsheet following a Freedom of Information (FOI) request. This revealed the names and initials of the department’s current employees, their rank or rank, and the location and department in which they work.
An independent review of the event has been requested by the PSNI and the Northern Ireland Policing Board (NIPB). The team that carried out the review, led by NPCC Head of Information Assurance and City of London Police Commissioner Pete O’Doherty, presented their results to the PSNI and NIPB on December 11, 2023.
The report reveals that a tab containing sensitive information relating to officers and staff had been hidden in a spreadsheet and was not noticed by six members of staff before it was published in the FOI.
Where has PSNI security failed?
The violation did not result from an “isolated decision, act, or incident by a single person, team, or department,” according to the report.
Instead, the review said: “This was a consequence of many factors, and fundamentally the result of the PSNI, as an organisation, failing to take advantage of opportunities to secure and protect its data better and more proactively, to identify and prevent risks earlier, or to do so. in an agile and modern way.”
The review noted that the PSNI was taking a “light approach” to data protection and security, without having a strategy in this regard.
Additionally, the Data Protection Act 2018 had not yet been fully integrated within the force and this implementation process could have been “optimistic” or “overkill”.
“Data Protection Impact Assessment (DPIA) obligations are not met, but this is recorded as ‘green’ and unmet information sharing requirements are identified as ‘amber’. “The report subject to the data breach did not have a classification applied. The presence of an OFFICIAL-SENSITIVE (or higher) marking could have caused PSNI staff to treat the information differently,” reads we. the article.
Finally, the review found that there appeared to be “a lack of recognition of the extent of the role of the Data Protection Officer (DPO), (who has) no direct reporting mechanism at the highest level. highest level of the organization – which is a legal right. requirement.”
A wake-up call for all UK police forces
In his foreword to the report, O’Doherty said the event was “a wake-up call for all forces across the UK” to take data and information protection and security seriously. He added that many of the report’s recommendations could apply to many other police forces.
The investigation team added that, based on the information provided, the data breach was not the result of a credible threat made against the PSNI.
The cyber incident led to the resignation of Chief Constable Simon Byrne a month later and more than 50 absences due to illness.
More than 4,000 PSNI employees, including civilians and police officers, have taken legal action against the force. Litigation could cost the PSNI between £24 million and £37 million.
At a press conference, PSNI Chief Constable Jon Boutcher said the report was “difficult to read”, adding “I accept and accept the lessons it contains”.
Read more: Further blow to PSNI security as second data breach revealed
Top eight security recommendations for PSNI
The NPCC review made 37 recommendations, some of which remained confidential for security reasons.
Some of the public recommendations include:
- Record strategic risks related to maximizing and complying with cybersecurity and the value of data, including its use in innovative technologies.
- Ensure that regular audits of data functions take place, considering cooperation with other police or public sector specialists.
- Reposition the Senior Information Risk Officer (SIRO) to the level of a Deputy Chief Constable. The SIRO should also establish a force-level data committee, including clear terms of reference and participation from information asset owners (IAOs), data business line managers and other business areas such as digital and business change.
- Consider introducing a specialist role similar to that of a data manager overseeing and coordinating data functions.
- Review the role of the DPO, carefully considering legal requirements, reporting lines, adequate resources, accountability functions and risk management.
- Document the FOI process in a standard operating procedure, streamlining and deduplicating all associated documentation.
- Urgently conduct a data maturity assessment to understand the organizational position and develop a program of work, continually improving and coordinating existing services and developing new capabilities, including data governance and data ethics .
- Consider a sponsored organizational awareness campaign at the executive level, including the value of freedom of information, the message that information security and management is everyone’s business, and the importance of information during and outside the service.
Boucher said a data committee is being created, as recommended by the review.