Outdated information management practices contributed to a massive data breach by the Police Service of Northern Ireland that should act as a “wake-up call” to other police forces, according to an independent review of the debacle.
The PSNI missed opportunities to secure and protect data, leading to the leaking of details of 9,500 staff members, says the report, which was published on Monday.
Republican dissidents obtained the data after it spilled online in August, fuelling fears that officers would be targeted and driving up the estimated security and legal costs to £240m.
“This is considered to have been the most significant data breach that has ever occurred in the history of UK policing,” said the review, which was headed by Pete O’Doherty, the temporary commissioner from the City of London police.
The blunder stemmed from a legitimate freedom of information (FoI) request about the breakdown of staff roles. An individual in the human resources department failed to remove a hidden tab – visible as three dots - that contained a spreadsheet of raw data, including employees’ surnames, first initials, ranks or grades, gender, location and unit.
At least five other people failed to catch the mistake before the material was sent and posted on an FoI website for two and a half hours before it was removed.
The breach was not a result of a single isolated decision, act, or incident by any one person, team, or department, says the report. It adds: “It was a consequence of many factors, and fundamentally a result of PSNI as an organisation not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risk earlier on, or to do so in an agile and modern way.”
Auditing, risk management and other scrutiny mechanisms failed to detect the vulnerability, says the report, which was commissioned by the PSNI and the Policing Board.
“This failure to recognise data as both a corporate asset and liability, coupled with a siloed approach to information management functions, have been strong contributory factors to the breach. Data and security are everyone’s business and need to be managed and nurtured in the same way as people and financial resources,” it adds.
Many of the 37 recommendations apply to other police forces, says the report. “It is a wake-up call for every force across the UK to take the protection and security of data and information as seriously as possible.”
One officer has resigned as a result of the breach and 50 have gone on sick leave. More than 4,000 officers and staff have contacted a threat assessment group and a similar number are involved in potential legal action.
The fiasco paved the way for the departure of the PSNI chief constable, Simon Byrne. His successor, Jon Boutcher, said the report showed organisational failing.
He said: “There were missed opportunities over a period of time. We must take responsibility as a leadership team for this and prioritise information security in our day-to-day business.”
Liam Kelly, the chair of the Police Federation for Northern Ireland, said London would have to help the already overstretched PSNI pay the legal and security costs.
He said: “Ministers cannot walk away from their responsibilities or give the tiresome and lame excuse that as policing is a devolved matter, solutions and funding will have to come from a reconstituted Northern Ireland executive.”