A review into a massive police data breach in Northern Ireland has blamed a force-wide lack of prioritisation of data security.
A report from the National Police Chiefs’ Council (NPCC) found the data breach, which saw details of all employees of the Police Service of Northern Ireland (PSNI) accidentally published online, was not the result of a “single isolated decision, act, or incident by any one person, team, or department”.
Instead, the review found that “it was a consequence of many factors, and fundamentally a result of PSNI as an organisation not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risk earlier on, or to do so in an agile and modern way.”
It added: “The need to better prioritise data, information, and cybersecurity, is not recognised at a strategic level or adequately driven by executive leaders.
“There is no force programme or strategy.”
The review found within the PSNI “there is little importance granted to essential organisational data functions and they are delivered using a ‘light touch’ approach”.
What happened?
On 8 August, the personal information of almost 9,500 police officers and civilian staff were accidentally published as part of a Freedom of Information (FOI) response, in what the NPCC described as “the most significant data breach that has ever occurred in the history of UK policing”.
The FOI request had sought the number of officers at each rank, but the PSNI accidentally included the surname, first initial, workplace location and unit of every serving police officer and civilian staff member, full and part-time.
The data was available publicly for around two and half hours before being removed.
How did it happen?
The NPCC review found six unnamed PSNI employees handled the processing of the FOI request, before it was released with the additional source information included.
The terms of the review meant it could not apportion blame to individuals.
Outrage and resignations
With the terror threat level in Northern Ireland raised to “severe” earlier this year, following