PSNI suffers serious data leak due to ‘human error’, leaving officers ‘incredibly vulnerable’

A severe data leak has struck the Police Service of Northern Ireland (PSNI), rendering every active officer and staff member ‘incredibly vulnerable’.

The leak was caused by human error after a spreadsheet containing highly-sensitive information was published in response to a Freedom of Information (FOI) request on Tuesday.

Chris Todd, PSNI Assistant Chief Constable, acknowledged the severity of the error. He stated that the leak was due to ‘human error’ and the team involved ‘acted in good faith’.

In addressing the implications, especially for terrorist organisations, Todd admitted the data could be of ‘significant concern’.

What data was linked in the PSNI incident?

A seemingly routine response to the FOI request about police staffing numbers revealed details of all active officer and staff member from the PSNI.

The spreadsheet mistakenly included a second tab with surnames, initials, rank or grade, workplace location, and department. Fortunately, the data did not include officers’ and civilians’ private addresses.

The spreadsheet also revealed specifics on officers from the organised crime unit, intelligence personnel at ports and airports, surveillance unit members, and nearly 40 PSNI staff working at MI5’s headquarters in Holywood.

Several individuals were also listed under a unit labelled ‘secret’, indicating their possible involvement in highly sensitive operations.

In total, there were multiple entries relating to 10,799 individuals. Each individual had up to 32 pieces of data relating to them, equalling a total of approximately 345,000 entries.

There are 9,276 police officers and staff actively serving the PSNI. It is unclear what the status is of the remaining 1,523 entries, but this could relate to former employees.

The information was live and accessible for up to three hours after being published at 2:30pm on Tuesday. By 4pm, the data leak was identified by the PSNI, and was taken down within the hour.

The spreadsheet has been seen and was first reported by the Belfast Telegraph.

The gravity of the situation

Naomi Long from the Alliance Party underscored the heightened vulnerability that officers and their families would now face. She questioned the lack of security protocols, like encryption and the inordinate access granted to a junior member of staff.

“There will have been officers, their families, members of civilian staff and their families, who will have spent a very uncomfortable night last night feeling exposed and vulnerable in a way that they previously didn’t.

“We know officers in Northern Ireland often can’t even return to visit family when they join the PSNI because of the level of risk. If they have an unusual name or are identifiable in some way, their families could also feel incredibly vulnerable,” said Long.

Liam Kelly, Chair of the Police Federation for Northern Ireland (PFNI), expressed his concerns to Sky News, stressing the potential real-world consequences of the breach. Officers operating in sensitive areas of policing, whose safety depends on anonymity, face severe risks and may even have to move house.

“A veil of secrecy is their shield and protects them from clear risk in dealing with the most dangerous people in our society, being our terrorists and our organised criminals,” said Kelly.

Mike Nesbitt, the Ulster Unionist representative on the Policing Board of Northern Ireland, called for an emergency meeting of the Policing Board.

Chris Heaton-Harris, the Northern Ireland Secretary, expressed deep concern over the breach, assuring that he is closely monitoring the situation.

“My officials are in close contact with senior officers and are keeping me updated,” said Heaton-Harris on X (Twitter).

What’s next for the PSNI?

The Information Commissioner’s Office (ICO) has been informed about the incident and might levy penalties and fines.

The aftermath of this significant data leak on the PSNI has repercussions far beyond digital boundaries. Officers and their families may feel more exposed than ever.

Following a cyberattack on the UK Electoral Commission compromising millions of UK voters’ data, it appears there is an urgent need to reassess how sensitive data is stored, accessed, and shared.

“8 August 2023 was a rather shocking day for data breach announcements. No doubt, the Information Commissioner will be looking carefully into this to see whether PSNI had appropriate technical and organisational measures in place to try to prevent such an incident.

Although the Commissioner has a current policy of rarely, if ever, fining public authorities, one cannot discount the possibility if this is deemed to have been a serious infringement,” said Jon Baines, Senior Data Protection Specialist at Mishcon de Reya.

Hungry for more tech news?

Sign up for your weekly tech briefings!