In a significant blow to data security, the Police Service of Northern Ireland (PSNI) has fallen victim to a major data breach this week, resulting in the exposure of sensitive information to both officers and citizens, raising concerns about the potential implications for national security and personal privacy.
The breach compromised highly sensitive data including personal details of police personnel, confidential case files, and potentially even operational tactics. It is believed that the breach could extend to include information about ongoing investigations and undercover officers, posing a serious threat to law enforcement efforts.
Authorities have yet to ascertain the full extent of the breach, as the investigation is still in its early stages. The PSNI, in collaboration with cybersecurity experts, has immediately initiated measures to contain the breach and assess the damage. The National Cyber Security Centre (NCSC) has also been called in to provide expertise and support.
Commenting on the news and offering insight are the following cybersecurity experts:
Erfan Shadabi, cybersecurity expert at comforte AG:
A data breach can be a mess for any company or individual caught up in having sensitive PII or PHI apprehended and exposed. The news that the Police Service of Northern Ireland (PSNI) suffered a serious data breach that exposed vital police information is a stark reminder of the significant consequences that can result from poor cybersecurity practices. Such an incident erodes trust, impact individual safety, and incur heavy legal and regulatory consequences. All organisations should prioritise data-centric security measures, especially when sensitive data is concerned. By adopting robust data-centric security strategies, organisations can protect sensitive information at its core, mitigating the impact of potential breaches. Encrypted data, strict access controls, and continuous monitoring are essential components to safeguard personal data effectively.”
Camilla Winlo, head of data privacy at Gemserv:
“It looks like the Police Service of Northern Ireland (PSNI) personal data breach was caused by including excess information in a Freedom of Information request response. According to reports, the source data was included as well as the summary data that the requester asked for. That’s an easy mistake to make, so it’s particularly important to ensure there are good controls in place. In this case, reports suggest that the error was identified fairly quickly and the personal data file was removed within an hour. However it doesn’t take long for this kind of information to be accessed and potentially copied. In 2019 there was a somewhat similar breach, where excess personal data was published by the Cabinet Office along with the New Year’s Honours list. According to the ICO, in the 2 hours and 21 minutes this was available online, it was accessed 3,872 times.
In my opinion, requests for information under the Freedom of Information Act and data protection legislation should always be treated as potential personal data breaches and handled very carefully. They are designed to result in the provision of information that wasn’t previously accessible outside the organisation. It’s really important that organisations handling these requests carry out a risk assessment and consider what kinds of technical and organisational safeguards need to be put in place before the response is provided. In a case like this, where the personal data related to police officers and there is a known threat to those individuals, sensible controls could have included using business information systems that can create the summary statistics without allowing the underlying data to be extracted from the database, and checking that only summary information was included in the file for publication on the website.”
Pieter Arntz, Malware Intelligence Researcher, Malwarebytes
“As we sometimes see in data breaches, there was no malicious intent, but it was a case of human error. Human errors, however, are always enabled by some oversights in security measures or protocols that designed to depend on everyone knowing exactly what to do and what not to do.
You could compare it to the way many services depend on passwords. We expect people to keep track of hundreds of passwords that need to be so complex that they are impossible to remember. But at the same time, we blame these people if they write it down on a post-it or re-use the password for several sites.
Educating people has its boundaries, sometimes the underlying technology is just not right for the problem we are trying to solve.”