A review of a massive police data security breach in Northern Ireland has blamed a force-wide lack of prioritization of data security.
A report by the National Police Chiefs’ Council (NPCC) found the data breach, who saw details of all Police Service of Northern Ireland (PSNI) staff accidentally published onlinewas not the result of a “single isolated decision, action or incident by an individual, team or department”.
Instead, the review found that “it was a consequence of many factors and fundamentally a result of the PSNI as an organization not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risks earlier or to do it. in an agile and modern way.”
It added: “The need to better prioritize data, information and cyber security is not recognized at a strategic level or sufficiently driven by senior leaders.
“There is no strength program or strategy.”
The review found within the PSNI “there is little importance attached to essential organizational data functions and they are delivered using a ‘light touch’ approach”.
On 8 August, the personal data of almost 9,500 police officers and civilian staff was accidentally published as part of a Freedom of Information (FOI) response, in what the NPCC described as “the most significant data breach ever in the history of UK policing”.
The FOI request had sought the number of officers at each rank, but the PSNI accidentally included the surname, first initial, workplace location and unit of each police officer and civilian staff, full-time and part-time.
The data was publicly available for about two and a half hours before it was removed.
How did it happen?
The NPCC review found that six unnamed PSNI staff handled the processing of the FOI request before it was released with the additional source information included.
The terms of the review meant it could not apportion blame to individuals.
Outrage and resignations
With the terror threat level in Northern Ireland raised to “severe” earlier this yearfollowing dissident shooting of Senior Officer John CaldwellPSNI officers and staff were outraged by the breach.
It was seen as a major contributing factor Chief Constable Simon Byrne’s resignation a month later.
MPs were told that Catholic police officers had asked whether they should start bringing weapons to mass after the breach, which was estimated to potentially cost the police up to £240 million, including the potential costs of legal action.
The NPCC review team said affected officers “expressed distress, sadness and dismay” and 4,000 of them contacted the PSNI’s threat assessment team.
“The mental health of officers and staff in particular has deteriorated”, with one resignation and 50 reported sick leaves blamed for the data breach.
Another officer moved “to keep themselves and their family safe”.
The report also recommended that the PSNI should consider creating a role similar to a chief data officer, establish a data board, carry out regular audits of data functions and replace data loss prevention software.
The PSNI and the Information Commissioner’s Office are both investigating the data breach.