Outdated data protection practice key factor in PSNI data breach

The August 2023 data breach at the Police Service of Northern Ireland (PSNI), which saw the details of thousands of serving officers leaked online following a botched response to a Freedom of Information (FoI) request, arose chiefly from an outdated approach to data protection and compliance at the force, according to an independent review.

The breach saw officers’ and staffers’ personal data fall into the hands of dissident Republicans, and has caused serious trauma for many PSNI employees, a significant number of whom have parted ways with the force citing a breakdown in trust, according to the BBC.

Pete O’Doherty, temporary commissioner at the City of London Police and National Police Chiefs Council (NPCC) lead for information assurance and cyber security, said: “This is considered to have been the most significant data breach that has ever occurred in the history of UK policing, not only because of the nature and volume of compromised data, but because of the political history and context that sets the backdrop of contemporary policing in Northern Ireland and therefore the actual, or perceived, threats towards officers, staff and communities.

“With the significant threats facing policing by external cyber threat actors, we can’t allow ourselves to be vulnerable from within, and must do everything in our power to protect our data, information and infrastructure, and give our staff and members of the public the absolute confidence and trust that we will protect their information.”  

The report establishes that the breach at the PSNI was not the result of one individual or team’s accidental decision, but stemmed from the service having failed to grasp the importance of data protection, and not seizing the opportunity to proactively secure its data and identify and prevent risk in an agile and modern way. The report said that none of these factors had been identified by any audit, risk management or scrutiny mechanisms either within or without the force.

This failure to recognise data as both an asset and a liability, together with a siloed approach to information management functions, were both strong contributory factors in the breach.

The force was found to have attached little importance to organisational data functions, and these were delivered with a light touch approach, while information and data governance were more or less absent from its strategies and structures, and although they were included in its audit programme, these risks and the lack of controls to manage them were not spotted.

The report found this was likely due to the size of the PSNI, its complex operations and the threat landscape it faces, but also had some basis in internal leadership and culture which branded data protection as too complex, niche and somebody else’s problem.

The report further identified a lack of recognition of the need to prioritise data protection and cyber security, with no overriding force programme or strategy in the PSNI. Information asset owners (IAOs) were found to be inconsistent, and as such, the force was fundamentally incapable of mounting a sufficient response at any level, in spite of some dedicated individuals in the organisation who did recognise the need to do the right thing.

It picked up on areas around data protection policy, practice, training and attitudes, which were ineffective and too generic, with a particular concern being a presumption of knowledge with regard to the use of Microsoft technology in the force that did not necessarily exist. Added to this, the PSNI’s freedom of information process was inconsistent and had no clearly defined owner despite it being widely used in the force, and it had failed to effectively embed the principles of the Data Protection Act of 2018.

The full report, which can be downloaded here, sets out a number of recommendations for the PSNI to adopt going forward. However, added O’Doherty, these will likely be applicable to many other law enforcement agencies.

“This report not only services to highlight how the breach occurred and what measures must be taken to prevent this from ever happening again, it is a wakeup call for every force across the UK to take the protection and security of data and information as seriously as possible and in this way, many of the recommendations in this report may apply to many other police forces,” he said.

“The Service Executive Team will now take time to consider the report and the recommendations contained within it,” said PSNI chief constable John Boutcher. “We have already taken action on one of the recommendations and the role of SIRO (senior information risk owner) has been elevated to the post of deputy chief constable. This will ensure that information security and data protection matters will be immediately visible to the deputy chief constable, chief operating officer and chief constable and they can be afforded the support and attention they critically deserve.

“We will work with the Northern Ireland Policing Board to consider the implications of the Report and a timeframe for the completion of relevant actions that have been identified,” he said.