A further breach of personal data of serving officers from the Police Service of Northern Ireland (PSNI) was confirmed on August 9, 2023.
The PSNI said this latest incident involved the theft of documents, including a spreadsheet containing the names of over 200 serving police officers and staff, from a “private vehicle” in the Newtownabbey area in Northern Ireland.
The incident took place on July 6, 2023, with a police issue laptop and radio stolen alongside the documents.
The latest breach emerged just one day after an accidental leak of the personal details of 10,000 police officers and civilian personnel working at the PSNI.
Read more: Northern Ireland Police Officers Vulnerable After Data Leak
Responding to the most recent data theft incident, PSNI’s Senior Information Risk Owner, Assistant Chief Constable Chris Todd said the service has contacted the officers and staff concerned about the breach and had submitted an initial notification to the Information Commissioner’s Office (ICO).
“This is an issue we take extremely seriously and as our investigation continues we will keep the Northern Ireland Policing Board and the Information Commissioner’s Office updated,” he commented.
Explanations Needed
Liam Kelly, Chair of the Police Federation of Northern Ireland (PFNI), a union representing rank and file officers in the region, revealed he had been “inundated with calls from worried officers” about the breaches, and demanded “credible explanations” from the PSNI.
“This confirmation by the Service makes matters worse. Clearly, urgent answers are required. How did this happen? What steps were put in place to advise and safeguard so many colleagues?” he stated.
“The [first] major security breach was bad enough, but this heaps further additional pressure on the PSNI to produce credible explanations around data security protocols and the impact on officer safety. Speed is of the essence. This cannot be dragged out as officers of all ranks throughout the Service are seeking reassurance and an effective action plan containing all necessary measures to counter the damage and minimize risk,” Kelly said.
Former Minister of Justice for Northern Ireland, Naomi Long, also called for a full investigation into the breach and has highlighted the PSNI’s duty of care to protect officers and introduce additional security measures.
“These are people, both staff and officers, who put themselves at risk in order to keep the rest of us safe and the organization has failed to protect their data and keep them safe,” she said.
Scrutinizing Security Measures
In a separate update on August 9, the PSNI declared the first data breach a critical incident, and revealed the Chief Constable Simon Byrne is cutting his family holiday short to work on the investigation.
The force has also established an emergency threat assessment group that will provide safety and security advice to affected personnel, as well as “immediate support to those with specific circumstances which they believe place them or their families at immediate risk or increased threat of harm.”
The PSNI said that an independent advisor will be conducting an end-to-end review of the force’s processes to establish how the breach occurred and how similar incidents can be prevented in the future.
In a statement on August 9, the UK’s Information Commissioner, John Edwards, said the ICO is working with the PSNI to understand the extent to which the personal information was accessed during the time it was exposed in the first accidental breach.
Experts noted that both breaches arose due to human error and highlighted the need for stronger data control processes and awareness training for staff.
Andy Ward, VP International at Absolute Software, commented: “Major organizations such as police departments are among the primary targets for cyber incidents due to the vast amount of sensitive and personal data stored on their systems, and with that must take extra caution when it comes to cyber breaches.
“Cybersecurity awareness training is essential to ensure staff understand the threats posed against an organization, the consequences of breaches and how to respond when they occur,” he added.
Pieter Arntz, Malware Intelligence Researcher, Malwarebytes, noted: “As we sometimes see in data breaches, there was no malicious intent, but it was a case of human error. Human errors, however, are always enabled by some oversights in security measures or protocols that designed to depend on everyone knowing exactly what to do and what not to do.”