A review into a massive police data breach in Northern Ireland has blamed a force-wide lack of prioritisation of data security.
A report from the National Police Chiefs’ Council (NPCC) found the data breach, which saw details of all employees of the Police Service of Northern Ireland (PSNI) accidentally published online, was not the result of a “single isolated decision, act, or incident by any one person, team, or department”.
Instead, the review found that “it was a consequence of many factors, and fundamentally a result of PSNI as an organisation not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risk earlier on, or to do so in an agile and modern way.”
It added: “The need to better prioritise data, information, and cybersecurity, is not recognised at a strategic level or adequately driven by executive leaders.
“There is no force programme or strategy.”
The review found within the PSNI “there is little importance granted to essential organisational data functions and they are delivered using a ‘light touch’ approach”.
Reacting to the review’s publication, the PSNI Chief Constable Jon Boutcher admitted widespread organisational failures had taken place.
“Of course it’s a damning indictment,” he told a press conference. “That’s why so many of our officers and staff were taken aback by this, you only have to look back at February and the attack on John Caldwell. There’s no ducking these issues.”
“It’s a wake-up call for every police force in the country. It’s difficult reading. I accept and embrace the learnings within it.”
Asked by Sky News if any PSNI employee had been disciplined or terminated to date, the Chief Constable said none had, although some processes were still ongoing. He also confirmed that none of the six people that processed the FOI request have been reassigned.
“They’re at the heart of putting things right,” he said. “We’re human beings, not robots.”
“This is an organisational failure, an accumulation of issues.”
Read more tech news:
TikTok’s Tube Girl on rapid rise to fame
Elon Musk fact-checked by his own system
Russia’s secretive ‘Iron Frontier’ targeting the UK
Chief Constable Boutcher said that as far as he was aware, “slightly more” than 4,000 employees of the PSNI were now actively contemplating a class action lawsuit over the data breach.
The Chief Constable said that a Data Board is being established, as recommended by the review. He has also asked the NPCC to return to critique the PSNI’s response to their report.
The chair of the Northern Ireland Policing Board Deirdre Toner said she welcomed the report and would take the time to digest its findings and work with the PSNI.
Liam Kelly, chair of the Police Federation of Northern Ireland, said that “the breach was monumental and caused massive upheaval with some officers and staff feeling their personal safety and security had been compromised. We will subject this report to detailed scrutiny and examine the recommendations that are made.”
The PFNI – which represents officers up to Chief Inspector rank – has called on the government to help meet the cost of fixing the data breach.
On 8 August, the personal information of almost 9,500 police officers and civilian staff were accidentally published as part of a Freedom of Information (FOI) response, in what the NPCC described as “the most significant data breach that has ever occurred in the history of UK policing”.
The FOI request had sought the number of officers at each rank, but the PSNI accidentally included the surname, first initial, workplace location and unit of every serving police officer and civilian staff member, full and part-time.
The data was available publicly for around two and half hours before being removed.
How did it happen?
The NPCC review found six unnamed PSNI employees handled the processing of the FOI request, before it was released with the additional source information included.
The terms of the review meant it could not apportion blame to individuals.
Outrage and resignations
With the terror threat level in Northern Ireland raised to “severe” earlier this year, following the dissident shooting of senior officer John Caldwell, PSNI officers and staff were outraged at the breach.
It was seen as a major contributory factor to the resignation of chief constable Simon Byrne a month later.
MPs were told Catholic police officers had asked if they should start bringing guns to mass following the breach, which was estimated to potentially cost the police service up to £240m, including the potential cost of litigation.
The NPCC review team said affected officers “expressed distress, sadness and dismay”, and 4,000 of them contacted the PSNI’s threat assessment group.
“Officer and staff mental health in particular has worsened”, with one resignation and 50 reported sickness absences blamed on the data breach.
Another officer relocated “to keep themselves and their family safe”.