Geo Focus: The United Kingdom
,
Geo-Specific
,
Governance & Risk Management
A 2023 Breach Exposed Personal Details of All PSNI Officers and Staff
The U.K. data regulator imposed a fine of 750,000 pounds against the Police Service for Northern Ireland following a 2023 data breach that exposed personal details of the entire workforce.
See Also: Cyber Insurance Assessment Readiness Checklist
The breach revealed surnames, initials, ranks, and roles of all 9,483 PSNI officers and staff – many who kept their employment a secret since law enforcement employment is still a sensitive subject in an area marked by persistent sectarian tensions (see: Northern Ireland Police at Risk After Serious Data Breach).
An investigation by the U.K. Information Commissioner’s Office determined the breach occurred when the police force attempted to respond to two open records requests made through WhatDoTheyKnow, a website maintained by a British non-profit for facilitating applications made under the Freedom of Information Act. The site allows users to send request and publishes the results.
One requests asked for the number of officers at each rank and number of staff at each civil service grade. The other sought to find out the number of police ranks held on an acting, temporary, or permanent basis. PSNI staff downloaded a HR database to process the requests through an Excel spreadsheet – and forgot to remove the tab containing raw data, the ICO said in a statement posted just after midnight in Great Britain.
The information was publically accessible on WhatDoTheyKnow for just over two hours until the platform deleted it. Dissident republicans who reject the power-sharing agreement between Ireland and the United Kingdom that quelled decades of conflict known as “The Troubles” obtained a copy.
“I don’t sleep at night. I continually get up through the night when I hear a noise outside to check that everything is ok,” one affected staffer told ICO investigators. Another reported difficulties sleeping at night and that the family’s children “are all stressed about my welfare, some of them have told me that they have nightmares about me getting attacked.”
Another who told investigators he disclosed his employment only to close family and friends worried that “many persons involved and linked to paramilitary groups and wider criminal circles in this area would know me or remember me from both school and childhood.”
The British Security Service currently rates the terrorism threat level in Northern Ireland as “substantial,” a medium rating that warns of a “likely” attack, but stops short of rating a terrorist incident as “highly likely.”
The domestic intelligence agency lowered the level in March after a year earlier elevating it to “severe” following an attempted assassination by dissident republicans against an off-duty detective Omagh, County Tyrone.
The PSNI has already accepted liability, apologized for the breach and is holding mediation talks to determine compensation (see: Breach Roundup: PSNI Mediation Begins Over Data Leak Compensation).
The ICO said the fine amount of 750,000 pounds includes a substantial discount applied to government agencies. Without it, the amount would have been 5.6 million pounds, it said.
Deputy Constable Chris Todd said the service accounted for the bulk of the fine in its budget, but will have to come up with an additional 140,000 pounds to pay off the full amount. “This fine will further compound the pressures the Service is facing,” he said.