A MAJOR data breach which saw the details of thousands of serving PSNI officers published online is a “wake-up call” for all forces a report into the incident has found.
On August 8 the personal information – including surnames, initials, ranks/grades, locations, and departments - of 9,483 police officers and staff working at the PSNI was published on a public website following a Freedom of Information request.
The information remained online for three hours, before the error was spotted and rectified.
The breach was deemed a critical incident, occurring at a time when the threat level in relation to Northern Irish related terrorism was ‘severe’, meaning an attack was deemed 'highly likely'.
“This is considered to have been the most significant data breach that has ever occurred in the history of UK policing, not only because of the nature and volume of compromised data, but because of the political history and context that sets the backdrop of contemporary policing in Northern Ireland and therefore the actual, or perceived, threats towards officers, staff, and communities,” a report into the incident stated this week.
The Independent Review Team, led by Commissioner Pete O’Doherty, of the City of London Police, presented their Protecting from Within report to the Police Service of Northern Ireland and the Northern Ireland Policing Board yesterday.
In it they claim the breach was a result of the PSNI as an organisation failing to protect its data effectively.
“With the significant threats facing policing by external cyber threat actors, we can’t allow ourselves to be vulnerable from within and must do everything in our power to protect our data, information, and infrastructure, and give our staff and members of the public, the absolute confidence and trust that we will protect their information,” Commissioner O’Doherty said in the report.
“In order to achieve this, we must foster a more modern and robust approach to information management and security, and ensure we have the leadership, governance, structures, and systems in place to protect the institution of policing and everyone who is part of it and affected by it.
“This report not only services to highlight how the breach occurred and what measures must be taken to prevent this from ever happening again, it is a wake-up call for every force across the UK to take the protection and security of data and information as seriously as possible and in this way, many of the recommendations in this report may apply to many other police forces.”
Responding to the report findings, the PSNI’s Chief Constable Jon Boutcher said: “The report highlights the fact that the breach that occurred was not a result of a single isolated decision, act nor incident by any one person, team or department, but more, a result of the PSNI as an organisation not better seizing opportunities to better and more proactively secure and protect its data, and identify and prevent risk earlier on, in an agile and modern way.”
He added: “The Service Executive Team will now take time to consider the report and the recommendations contained within it.
“We have already taken action on one of the recommendations and the role of SIRO (Senior Information Risk Owner) has been elevated to the post of Deputy Chief Constable.
“This will ensure that information security and data protection matters will be immediately visible to the Deputy Chief Constable, Chief Operating Officer and Chief Constable and they can be afforded the support and attention they critically deserve.
“We will work with the Northern Ireland Policing Board to consider the implications of the Report and a timeframe for the completion of relevant actions that have been identified.”