A significant data breach has recently exposed sensitive personal information belonging to police officers and civilian staff affiliated with the Police Service of Northern Ireland (PSNI).
The breach, confirmed on August 8th, resulted from the inadvertent release of data contained in a spreadsheet following a Freedom of Information (FoI) request. This exposed the last names, initials, ranks, departments, and locations of current personnel, encompassing even those involved in sensitive areas like surveillance and intelligence.
The incident has raised concerns about the safety of police officers and their families, particularly given the elevated threat level for Northern Ireland-related terrorism, which was recently increased to 'Severe.'
The data leak occurred when a Freedom of Information request for officer and staff numbers at different ranks and grades was fulfilled. Alongside a numerical table, an extensive Excel spreadsheet was inadvertently published on the "What Do They Know" FoI website. The spreadsheet, containing over 10,000 lines of information, was in the public domain for approximately two and a half hours before being promptly removed at the request of the PSNI.
What are the key learnings?
The breach underscores the risks associated with the use of spreadsheets for sensitive data storage, a recurring issue in the public sector. Despite repeated warnings from the UK's Information Commissioner's Office (ICO), organisations continue to make the same mistakes. Past incidents include the unredacted disclosure of addresses in the Cabinet Office's 2019 New Year Honours list.
In conclusion, the recent data breach involving the PSNI has exposed sensitive personal information of officers and staff, raising significant concerns about their safety, the efficacy of undercover and intelligence work, and the overall security of the region. The incident highlights the persistent challenges in handling sensitive data, particularly the repeated misuse of spreadsheets, and underscores the need for more secure information sharing practices.
For private sector organisations, the incident can also serve as a reminder to ensure staff are sharing files in a secure manner, and that there are the right levels of governance in place to keep track of sensitive information.