Thousands of NI police details exposed online

Information accidentally published in response to FoI request

Thousands of NI police details exposed online

The Police Service of Northern Ireland (PSNI) has apologised for a self-inflicted data breach, which saw sensitive information about all current officers and staff members published online.

The details, mistakenly publicised in response to a Freedom of Information (FOI) request, included the last names, initials, ranks or positions, work locations and departments of all PSNI personnel.

"This is human error," PSNI assistant chief constable Chris Todd said at a press conference on Tuesday.

"We've looked into the circumstances, we'll continue with our investigation, but the very early considerations are that this is simple human error and the people who have been involved in the process have acted in good faith."

"In terms of the security for individuals, there's nothing at the moment to suggest there's any immediate security concerns, but we have put actions in place to ensure that if anything does arise we will be aware of that, and then we can mitigate accordingly."

https://twitter.com/rtenews/status/1689003768199696384?ref\\_src=twsrc%5Etfw

The original FoI request had asked for a breakdown of PSNI staff ranks and grades.

But, in addition to providing a table outlining the count of individuals in roles like constable, the PSNI accidentally included a spreadsheet holding personal data on over 10,000 individuals.

The information was online for between two and a half to three hours, starting from its publication at 14:30 on Tuesday. Mr Todd was notified at 16:00, and corrective measures were taken to remove the data.

Todd expressed his apologies for the "regrettable" data leak, and said measures have been identified (but not yet taken) to prevent such an error taking place again.

The breach has been reported to the Information Commissioner's office.

An ICO spokesperson said: "The Police Service of Northern Ireland has made us aware of an incident and we are assessing the information provided."

In a press statement, the PSNI said that, while the information became accessible through its own mistake, individuals who managed to access the data before its removal would bear responsibility for their actions.

"It is important that data anyone has accessed is deleted immediately."

Secretary of state Chris Heaton-Harris expressed his "deep concern" about the breach. He said "senior PSNI officers" are providing him with ongoing updates on the situation.

The Police Federation of Northern Ireland (PFNI), which represents officers' interests, referred to the incident as a "monumental" breach.

"Rigorous safeguards ought to have been in place to protect this valuable information which, if in the wrong hands, could do incalculable damage," Liam Kelly, chair of the PFNI said.

Kelly added that it was fortunate the PSNI spreadsheet did not include home addresses, noting that such an inclusion could have been "disastrous."

The Northern Ireland police have been subjected to threats from republican paramilitary groups, with the most recent incident occurring in February.

That was when detective chief inspector John Caldwell was shot in the presence of his young son in Omagh, County Tyrone. The group known as the New IRA claimed responsibility for the attack.

The PSNI data breach occurred late yesterday, the same day as the Electoral Commission revealed that personal information belonging to as many as 40 million UK voters had been compromised in a complex cyberattack carried out by unidentified "hostile actors."

Read now: Electoral Commission hack: Five things you need to know

The attackers were able to access email servers, control systems and copies of the electoral register.

Although the election watchdog became aware of the attack in October 2022, the malicious actors had been present in the system starting from August 2021.

The security breach has been reported to both the ICO and the National Cyber Security Centre.