Northern Ireland Police at Risk After Serious Data BreachCurrent PSNI Employees' Surnames and Locations Revealed Via Public Spreadsheet
Police officers in Northern Ireland are sounding alarms over their personal safety after the Police Service of Northern Ireland accidentally exposed their personal details online.
For a period of up to three hours on Tuesday afternoon, the PSNI website hosted a spreadsheet containing the first initials and surnames, roles and locations of all officers and staff. The spreadsheet, included in a response to a freedom of information request, did not include home addresses.
See Also: The CISO's Response Plan After a Breach
"Police are investigating the circumstances surrounding the release of data within a spreadsheet," Assistant Chief Constable Chris Todd, the senior information risk owner for the PSNI, said in a statement.
Todd apologized for the breach and blamed it on "human error."
There are 9,276 officers and staff in the PSNI. Policing in Northern Ireland can be fraught with sectarian tensions despite a more than a two-decade power-sharing agreement among Catholic republicans who sought unification with Ireland and Protestant unionists loyal to the United Kingdom. The British government in March raised the terrorist threat level in Northern Ireland to "severe" following the attempted assassination of an off-duty police officer in Omagh, County Tyrone.
Many police officers and civilian employees publicly hide their employment - especially members of the Catholic community, who might not even tell family members.
"This is the most serious breach I have ever seen, due to the potential it could lead to the death or injury of those whose data has been disclosed," said Brian Honan, who heads Dublin-based cybersecurity firm BH Consulting.
Exposed information could be abused not only by criminals, including for revenge, but also by republican paramilitaries who continue to target police officers and employees.
The most recent attack occurred in February, when off-duty senior detective John Caldwell was shot in a sports complex in Omagh. He survived with "life-changing" injuries, said the chairman of Northern Ireland's Police Federation. Authorities arrested 11 people and charged three with being members of a proscribed terrorist group - in this case, the New IRA, a splinter of the Provisional Irish Republican Army that rejects a final 1997 terrorism cease-fire that helped lead to the 1998 Good Friday Agreement.
The PSNI says it is working to "to identify any security issues" posed by the breach as quickly as possible, and it has notified the Information Commissioner's Office.
"The Police Service of Northern Ireland has made us aware of an incident, and we are assessing the information provided," an ICO spokesperson said.
The PSNI's Todd called on any members of the public who have obtained the information to delete it as quickly as possible. "Although it was made available as a result of our own error, anyone who did access the information before it was taken down is responsible for what they do with it next," Todd said. "It is important that data anyone has accessed is deleted immediately."
Liam Kelly, chair of the Police Federation for Northern Ireland, criticized the PSNI for its failure of oversight and called for an urgent inquiry into the incident. He said the data exposure could lead to numerous members of the PSNI having to change roles or relocate their homes.
"This is a breach of monumental proportions. Even if it was done accidentally, it still represents a data and security breach that should never have happened," he said. "Rigorous safeguards ought to have been in place to protect this valuable information which, if in the wrong hands, could do incalculable damage."
BH Consulting's Honan said the breach is "a timely reminder that CSOs need to work with the business to see what processes the business employs and work with them to secure those processes."