Incident & Breach Response , Security Operations
Northern Ireland Police Disclose Another Serious Data Breach
Privacy Watchdog Probing Accidental Leak of Personal Information for Entire ForcePolice officers in Northern Ireland, already reeling from a serious security incident that resulted in their personal details being publicly exposed, have fallen victim to another recent data breach.
See Also: Forrester Report: Palo Alto Networks: A Leader in Cybersecurity IR Services
"Police are investigating the circumstances surrounding the theft of documents, including a spreadsheet containing the names of over 200 serving officers and staff," Assistant Chief Constable Chris Todd, the senior information risk owner for the PSNI, said in a statement issued Wednesday.
The data breaches have led politicians to question the fitness of the Police Service of Northern Ireland's current leadership. Serving members of the force are demanding to know why their personal data, the release of which puts their personal safety at risk, wasn't compartmentalized and secured.
The spreadsheet containing more than 200 employees' names was stored on a police laptop stolen along with a police radio on July 6 from "a private vehicle" in Newtownabbey, a large town just north of Belfast. Police said they have alerted the affected individuals and notified the Information Commissioner's Office - the U.K.'s data protection authority - as they are legally required to do.
"This is an issue we take extremely seriously and as our investigation continues we will keep the Northern Ireland Policing Board and the Information Commissioner's Office updated," Todd said.
Policing in Northern Ireland remains fraught with sectarian tensions and the ever-present threat of criminal reprisal. Many on the force prefer not to have their profession known, even by intimates, given the dangers of assassination by dissident republicans who reject the 1998 power-sharing agreement that ended decades of civil strife known as the Troubles.
"Our officers go to great lengths to protect their identities. Some of them don’t even tell their close friends and associates that they are actually in the police,” Liam Kelly, chair of the Police Federation for Northern Ireland, told the BBC Today radio program on Wednesday. In March, the U.K. government raised the terrorist threat level in Northern Ireland to "severe" following the attempted assassination of an off-duty police officer in Omagh, County Tyrone.
Breach Affects All Serving Police Officers and Staff
News of the July data breach comes after the inadvertent exposure on Tuesday of personal details pertaining to all 9,276 serving police officers and staff. Blaming "human error," the PSNI said an employee had posted the personnel information, contained in a spreadsheet, to the force's website in response to a freedom of information request.
Exposed information included first and middle initials, surname, rank/grade, job role and work location (see: Northern Ireland Police at Risk After Serious Data Breach).
"This data was available to view on the website for a period of up to three hours before it was removed," Todd said in a separate statement Wednesday.
The Northern Ireland Policing Board, which oversees the nation's police force, announced it would hold an emergency meeting Thursday to review the incident and question Simon Byrne, the PSNI's chief constable.
The ICO said it is probing the incident and will help the force review risks and appropriate mitigations, which it expects the PSNI to do with "urgency."
"People have the right to expect that their personal information is kept safe and not disclosed when it shouldn't be," John Edwards, the Information Commissioner, said in a statement. "This incident raises serious concerns as it shows how even the smallest of human errors can have major consequences."
Todd said the PSNI has brought in an independent adviser "to conduct an end-to-end review of our processes in order to understand what happened, how it happened and what we can do immediately to prevent such a breach happening in the future."
Cybersecurity expert John Walker, who formerly served in intelligence and counterintelligence roles with the Royal Air Force, said the data exposure reflects "a complete breakdown of just about every control you would assume to be in place to secure 'sensitive intel.'" He said this is surprising not only because of the risk now posed to police officers and staff, but also because this is not the first time sensitive information has been accidentally divulged by a government organization when handling a freedom of information request.
Walker said at a minimum, the breach highlights what must be a variety of missing controls, ranging from poor or nonexistent training, data classification and release processes to a failure to restrict access to sensitive data. He also questioned whether information this sensitive should even be stored in digital form or in any online-connected system.
"The data breach exposes us as never before," said Andrew George, a chief inspector in the PSNI and president of the National Black Police Association, in a Guardian opinion piece. George said that everyone in the PSNI faces the constant threat of being attacked both on-duty and off-duty, takes their weapon home for protection, and regularly checks their cars for boobytraps. "The fear among my colleagues has been palpable," he said.
The PSNI's Todd said the force has "issued updated personal security advice to all of our officers and staff and have established an emergency threat assessment group that will look at the welfare concerns of our people." The group's immediate priority is to identify members of staff - and their families - likely to be at immediate harm or risk from the data exposure.