The Police Service of Northern Ireland (PSNI) has acknowledged a major data breach resulting from human error in responding to a freedom of information request.
It has said that the names and work locations of all its officers and civilian staff was mistakenly posted on its website for a few hours, an error that has raised serious concerns about their future safety.
The PSNI’s senior information risk owner, Assistant Chief Constable Chris Todd, said: "Police are investigating the circumstances surrounding the release of data within a spreadsheet.
“The data concerned contained the surnames and initials of current employees alongside the location and department within which they work. No other personal information was included. The breach resulted from information included in error in response to a freedom of information request.
“We have informed the organisation to make our officers and staff aware of the incident, appreciating the concern that this will cause many of our colleagues and families. We will do all that we can to mitigate any such concerns.
“An initial notification has been made to the office of the information commissioner regarding the data breach.
“The matter is being fully investigated and a Gold structure is in place to oversee the investigation and consequences. It is actively being reviewed to identify any security issues.
“The information was taken down very quickly. Although it was made available as a result of our own error, anyone who did access the information before it was taken down is responsible for what they do with it next. It is important that data anyone has accessed is deleted immediately.
“This is an issue we take extremely seriously and as our investigation continues we will keep the Northern Ireland Policing Board and the Information Commissioner’s Office updated.”
Source of mistake
According to a BBC news report, the breach derived from an FoI request from a member of the public that asked: "Could you provide the number of officers at each rank and number of staff at each grade?"
In response, an Excel spreadsheet of ‘source data’ was mistakenly returned and published on the PSNI’s FoI website, where it remained for two an a half hours until the mistake was realised. It contains multiple pieces of information including first initial and surname of every employee, their rank or grade, where they are based and the unit they work in – including sensitive areas such as surveillance and intelligence.
People on career breaks are also included.
Commentators have said that, while the list does not include addresses, it could still create a security threat to PSNI employees, many of whom keep their occupations secret due to lingering fears for their safety.
Naomi Long, a former justice minister for Northern Ireland and now leader of the Alliance Party, said on the BBC’s Good Morning Ulster programme that there will have to be a full investigation.
"There are systemic issues here why was this data available to be issued in unencrypted form in the way that it was," she said.
She added the digital footprint will be "almost impossible" to eradicate and her focus is now on making sure there is "adequate support for officers based on the level of risk".