Identity & Access Management , Security Operations

More UK Police Suffer Freedom of Information Data Breach

Constabularies of Norfolk and Suffolk Alert Follows FOIA Breach in Northern Ireland
More UK Police Suffer Freedom of Information Data Breach
Image: Shutterstock

A British police force disclosed serious breaches of personal data pertaining to victims, witnesses and suspects more than a year after the incidents occurred - just days after Northern Ireland police divulged they had accidentally revealed workforce data now believed to be in the hands of terrorists.

The constabularies of Norfolk and Suffolk accidentally exposed information of 1,230 individuals, the agencies said in a Tuesday data breach notification. The constabularies' jurisdiction covers an area with about 1.5 million residents in East Anglia, a region in the east of England.

"The data impacted was information held on a specific police system and related to crime reports," the constabularies said. "The data includes personal identifiable information on victims, witnesses and suspects, as well as descriptions of offenses. It related to a range of offenses, including domestic incidents, sexual offenses, assaults, thefts and hate crime."

Police said they had sent the personal information to researchers and journalists when handling multiple requests for crime statistics submitted under the Freedom of Information Act between April 2021 and March 2022.

The Police Service of Northern Ireland made a similar mistake earlier this month when it posted online for hours a spreadsheet containing the first initials and surnames, roles and locations of every one of its approximately 10,000 officers and staff.

Many police officers in Northern Ireland shield their identities due to fear of dissident republicans who reject the 1998 power-sharing agreement that ended decades of civil strife known as the Troubles (see: Northern Ireland Police at Risk After Serious Data Breach).

"We are now confident that the workforce data set is in the hands of dissident republicans," Simon Byrne, the PSNI's chief constable, said on Monday "It is now a planning assumption that they will use this list to generate fear and uncertainty as well as intimidating or targeting officers and staff."

Days after the initial disclosure, the PSNI acknowledged another breach, stemming from the theft of a police laptop last month that contained a spreadsheet listing more than 200 employees' names.

Even before the complete list of PSNI officers and staff fell into the hands of extremists, the U.K. government raised the terrorist threat level in Northern Ireland in March to "severe" following the attempted assassination of an off-duty police officer in Omagh, County Tyrone.

Byrne said the PSNI has identified personnel for whom their personal - or family's - security is at heightened risk. "We have measures in place to reassure and advise our workforce of what this risk means for them," he said.

On Wednesday, the PSNI announced that as part of its data breach investigation, officers arrested a 39-year-old man in the town of Lurgan on suspicion of collection of information that would be useful to terrorists. "We are working tirelessly to address the risk posed to officers and staff," said Detective Chief Superintendent Andy Hill. "Today's search operation and subsequent arrest is just one piece of a large-scale operation."

Norfolk and Suffolk Notifying Victims

The Norfolk and Suffolk constabularies have begun to contact victims of the breaches, said Suffolk constabulary temporary Assistant Chief Constable Eamonn Bridger, who is leading an internal investigation into the data breaches. They will notify victims either in a letter, over the phone or in a face-to-face conversation. Officials hope to have completed all notifications by the end of September.

"We would like to apologize that this incident occurred," Bridger said. "Occasionally things can go wrong," he told the BBC, adding that the agencies have instigated procedural changes to minimize the likelihood of a repeat incident.

Police also said they have set up a dedicated team to support victims, all of whom will be told what specific personal details about them have been exposed.

Officials said they have seen no signs that the exposed information is being actively used against victims or witnesses. They also said the private information wouldn't have been immediately visible to anyone who received it, but they haven't clarified what that means - for example, if the information was present in rows in a spreadsheet set to be hidden, but which could be easily unhidden.

The elected police and crime commissioner for Suffolk, Tim Passmore, whose responsibilities include hiring and firing the force's chief constable as well as setting and monitoring the force's priorities and performance, said he has "requested regular updates from the chief constable so I can be assured everything reasonably possible is being done to put matters right."

The Information Commissioner's Office, which enforces Britain's data protection laws, said it is probing this breach and a separate one the force reported in November 2022.

In the November breach, the Suffolk constabulary accidentally published personal information, including names and addresses, for "hundreds" of victims of sexual abuse, the East Anglian Daily Times reported.

Aug. 17, 2022 09:05 UTC: This story has been updated to detail the PSNI's arrest of a 39-year-old man during the course of its breach investigation.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.