Norfolk and Suffolk Police confirm data breach affecting over 1,000 victims and witnesses

Norfolk and Suffolk police forces have confirmed a data breach affecting 1,230 people, including victims of crime, witnesses, and suspects.

The data was mistakenly included in Freedom of Information (FOI) responses due to a ‘technical issue’. The forces said in a statement that the data was hidden from anyone opening the files, but should not have been included.

The data included personal identifiable information on victims, witnesses and suspects, as well as descriptions of offences, including sexual and domestic assaults.

‘Strenuous efforts’ were made to ascertain if anyone outside the police force accessed the data. Early indications, according to the forces, are that there has been no unauthorised access. Both Norfolk and Suffolk constabularies emphasised that the concealed data was not ‘immediately obvious’ and would require specific knowledge to extract.

“We would like to apologise that this incident occurred, and we sincerely regret any concern that it may have caused the people of Norfolk and Suffolk,” said Eamonn Bridger, Suffolk Temporary Assistant Chief Constable, who led the investigation on behalf of both forces.

The breach occured during responses to FOI requests for crime statistics issued by the forces between April 2021 and March 2022.

“I would like to reassure the public that procedures for handling FOI requests made to Norfolk and Suffolk constabularies are subject to continuous review to ensure that all data under the constabularies’ control is properly protected,” added Bridger.

Tim Passmore, the Police and Crime Commissioner for Suffolk, expressed his regret over the occurrence and committed to overseeing a thorough review of the constabulary’s information-sharing protocols to prevent any future lapses.

The Information Commissioner’s Office (ICO) has been notified and is being kept updated.

Stephen Bonner, a Deputy Commissioner at the ICO, said: “It is too soon to say what our investigation will find, but this breach – and all breaches – highlights just how important it is to have robust measures in place to protect personal information, especially when that data is so sensitive.”

This is not an isolated incident involving Suffolk Police. A breach in November 2022 revealed the names and addresses of victims on the Suffolk Police website.

“We are currently investigating this breach and a separate breach reported to us in November 2022. In the meantime, we’ll continue to support organisations to get data protection right so that people can feel confident that their information is secure,” added Bonner.

This breach comes on the heels of another severe data leak involving the Police Service of Northern Ireland (PSNI). The leak, caused by human error, made every active officer and staff member of the PSNI exposed and ‘incredibly vulnerable’.

“Anyone disclosing information derived from sensitive datasets should take great care to ensure that they do not inadvertently release other information – spreadsheets in particular are notorious examples of software that can appear to ‘hide’ information, but actually leave it exposed.

Most public authorities are aware of the risks of this when responding to FOI requests, but mistakes can still be made. Given that the Information Commissioner has recently introduced an effective moratorium on fining public authorities, some might now question whether such authorities are being left to operate with insufficient regulatory oversight,” said Jon Baines, Senior Data Protection Specialist at Mishcon de Reya.

As these events unfold, they underline the pressing need for stringent data protection measures and the responsibility of law enforcement agencies in maintaining public trust.

Hungry for more tech news?

Sign up for your weekly tech briefings!