Northern Ireland police officers have been left “incredibly vulnerable” after a huge data breach compromised the details of every serving officer and member of staff.
The Police Service of Northern Ireland (PSNI) has apologised for the self-inflicted security breach after it inadvertently published the information in response to a Freedom of Information (FOI) request on Tuesday.
The breach involved the surname, initials, the rank or grade, the work location and departments of all PSNI staff, but did not involve the officers’ and civilians’ private addresses.
It also reveals members of the organised crime unit, intelligence officers stationed at ports and airports, officers in the surveillance unit and almost 40 PSNI staff based at MI5’s headquarters in Holywood, the Belfast Telegraph reports.
The breach came just hours after the Electoral Commission revealed “hostile actors” managed to hack its systems, exposing the data of more than 40 million voters.
The Alliance Party’s Naomi Long said NI officers had been left “incredibly vulnerable” and there were “major questions” arising from the latest breach.
PSNI officers have been the targets of republican paramilitaries in recent years and in March the terror threat level in Northern Ireland was raised to severe.
Ms Long added: “There will have been officers, their families, members of civilian staff and their families, who will have spent a very uncomfortable night last night feeling exposed and vulnerable in a way that they previously didn’t.
“We know officers in Northern Ireland often can’t even return to visit family when they join the PSNI because of the level of risk. If they have an unusual name or are identifiable in some way, their families could also feel incredibly vulnerable.”
She said the Information Commissioner could impose penalties and fines, but the more pressing issue is the impact it will have on officers and their families.
She asked: “Why was all this data held in one place? Why was it not encrypted? Why was a junior member of staff in a position to be able to access it? Given the sensitivity of such data, is that in itself not a concern?”
‘Some officers may not be able to continue’
Liam Kelly, chair of the Police Federation for Northern Ireland (PFNI), told Sky News there are some officers who will not be able to continue in their roles due to safety concerns, and some may even have to move house. He had earlier described the breach as “monumental”.
“We have a number of officers who work in more sensitive areas of policing where a veil of secrecy is their shield and protects them from clear risk in dealing with the most dangerous people in our society, being our terrorists and our organised criminals,” he told Sky’s Jayne Secker.
“We have a number of people who are feeling particularly vulnerable because their identities have potentially been compromised by this so the service has to be very clear with those officers about what they can do to limit the damage that has been caused by this data breach, but equally to rebuild the trust that the organisation has those officers’ backs to support them and protect their identities.”
Data breach plays into hands of those who deem officers of the crown legitimate targets
It would be difficult to exaggerate the scale of what the Police Federation is calling a “monumental” data breach.
Northern Ireland is the one part of the UK where the terror threat level has been raised from substantial to severe, meaning attacks are highly likely.
That threat comes from dissident Irish republicans, the self-styled New IRA in particular, a conglomerate of breakaway factions still pursuing Irish unity by violent means.
The release of the names and ranks of an estimated 10,000 serving police officers and civilian staff plays right into the hands of those who deem officers of the crown legitimate targets.
Earlier this year, the New IRA claimed responsibility for a gun attack on Detective Chief Inspector John Caldwell in Omagh – he was shot and seriously injured.
Police officers I’ve spoken to say they’re required to implement rigorous data protection protocols and are furious their own data has been breached.
Chief Constable Simon Byrne is under pressure to cut short his holiday and return to Northern Ireland.
Given that the security of his officers and their families should be his top priority, he would be wise to do so.
What does the PSNI say?
PSNI Assistant Chief Constable Chris Todd apologised for the latest breach, saying: “I’ve had to inform the Information Commissioner’s office of a significant data breach that we’re responsible for.
“This is unacceptable.”
He said it was a result of “human error” with the people involved in the process having “acted in good faith”.
Mr Todd said the information was mistakenly made public for approximately two and a half to three hours after being published at 2.30pm on Tuesday afternoon.
The data breach was brought to his attention at 4pm and was then taken down within the hour.
He added the leak was “regrettable” and that steps had been identified to avoid a similar error from happening again.
How did the breach occur?
Explaining how exactly the breach happened, Mr Todd said: “What’s happened is we’ve received a Freedom of Information request, that’s quite a routine inquiry, nothing untoward in that.
“We’ve responded to that request, which was seeking to understand the total numbers of officers and staff at all ranks and grade across the organisation, and in the response, unfortunately, one of our colleagues has embedded the source data, which informed that request.
“So, what was within that data was the surname, initial, the rank or grade, the location and the departments for each of our current employees across the police service.”
When asked how useful the information would be to terrorist organisations, Mr Todd said the breach is of “significant concern” to many colleagues and information on how they can protect their own personal security has been passed down.
What will happen now?
The Information Commissioner’s Office (ICO) has been notified about the incident.
An ICO spokesperson said: “The Police Service of Northern Ireland has made us aware of an incident and we are assessing the information provided.”
The Belfast Telegraph initially reported the breach, after the newspaper was made aware of the spreadsheet by the relative of a member of police staff.
It reported the spreadsheet had the response to the FOI about police staffing numbers in one tab – with the source information mistakenly included in another.
What other reaction has there been?
Chris Heaton-Harris, the Northern Ireland Secretary, has said he is “deeply concerned” about the breach.
Writing on X (formerly Twitter), he said: “My officials are in close contact with senior officers and are keeping me updated.”
The DUP’s Policing Board representative, MLA Trevor Clarke, said the extent of the data breach in the PSNI is “unprecedented” and “deeply alarming”.
He added: “The public will be rightly seeking answers and they deserve to see a robust response from the PSNI senior command.”
The UUP representative on the Policing Board of Northern Ireland, MLA Mike Nesbitt, has called for an emergency meeting to discuss the breach, while Alliance leader Naomi Long MLA said it was of “profound concern”.