PSNI data breach a ‘wake-up call’ for all UK forces

Described as the “most significant data breach that has ever occurred in the history of British policing”, the report says it is a “wake-up call for every force across the UK”.

In August, the personal information of 9,483 police officers and staff working at the PSNI, including surnames, initials, ranks/grades, locations and departments, was published in error on a public website following a Freedom of Information (FoI) request.

The PSNI later confirmed that the information was almost certainly in the hands of dissident republicans.

The Northern Ireland Policing Board (NIPB) and the PSNI jointly commissioned an independent review into the data breach, which was carried out by City of London Police T/Commissioner Pete O’Doherty, the National Police Chiefs’ Council (NPCC) lead for Information Assurance and Cyber Security.

His report said the breach “was not a result of a single isolated decision, act, or incident by any one person, team, or department”.

“It was a consequence of many factors, and fundamentally a result of PSNI as an organisation not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risk earlier on, or to do so in an agile and modern way,” it added.

“At the time of the incident, these factors had not been identified by audit, risk management or scrutiny mechanisms internal or external to PSNI.”

Mr O’Doherty said: “It is important to recognise that many of these recommendations will need to be considered by every police force in the UK, so that we collectively work to improve how our data is protected and safeguarded.”

PSNI Chief Constable Jon Boutcher said: “The report highlights the fact that the breach that occurred was not a result of a single isolated decision, act nor incident by any one person, team or department, but more, a result of the PSNI as an organisation not better seizing opportunities to better and more proactively secure and protect its data, and identify and prevent risk earlier on, in an agile and modern way.

“The service executive team will now take time to consider the report and the recommendations contained within it. We have already taken action on one of the recommendations and the role of SIRO (senior information risk owner) has been elevated to the post of deputy chief constable.

“This will ensure that information security and data protection matters will be immediately visible to the deputy chief constable, chief operating officer and chief constable and they can be afforded the support and attention they critically deserve.

“We will work with the NIPB to consider the implications of the report and a timeframe for the completion of relevant actions that have been identified.”

NIPB chair Deirdre Toner said: “As a board we welcome the detail of the report which provides a series of recommendations for making sure that information assurance and governance policies, procedures and practice within the PSNI meets national best practice going forward.

“Whilst this review was commissioned to look specifically at PSNI systems and processes, it is evident this seminal report has lessons for policing services elsewhere. Indeed the wider criminal justice system and public sector organisations responsible for managing sets of personal and sensitive data will also take a keen interest in this report.

She added: “The end-to-end process review of information security management progressed by the review team, examined five key areas where reform and organisational focus is needed.”

“The board, working with the chief constable, will now take some time to fully digest and discuss the findings and the 37 recommendations made so that an action plan for implementation can be agreed.

“As a board we remain very mindful of the immense impact that this data breach had within the PSNI and all the officers and staff who were directly affected. We have and will continue to engage with all the staffing associations on this, and on the findings now published.

“We trust this comprehensive review will also provide the necessary assurances to all those outside of the PSNI who expressed concerns following this breach.

“Through implementation of these findings we hope confidence in the approach to information management within the PSNI, and the governance and oversight of that, can be fully restored.

The five ‘key areas’ identified in the report were: Organisational, Governance and Accountability; Taking Responsibility; Building the Foundations; Data Sharing and Usage; and Data Culture, Skills and Talent.

The report said the PSNI’s “failure to recognise data as both a corporate asset and liability, coupled with a siloed approach to information management functions, have been strong contributory factors to the breach”.

It added: “There is little importance granted to essential organisational data functions and they are delivered using a ‘light touch’ approach. Information and data governance are largely absent from organisational strategies, reporting processes and accountability structures, as well as risk registers.

“Whilst included in the audit programme, this process failed to identify risks and a lack of effective controls. This is no doubt due in part, to the scale of the organisation, its operations and threat landscape. It is also likely to have some considerable basis in the leadership of, culture and attitude towards, these important areas of business that are often seen as complex, niche and best left to the experts. Data and security are everyone’s business and need to be managed and nurtured in the same way as people and financial resources.

“The need to better prioritise data, information, and cyber security, is not recognised at a strategic level or adequately driven by executive leaders. There is no force programme or strategy. Information asset owners (IAOs) are inconsistent. As such, there is an insufficient response at tactical and operational levels. This is despite the passion and drive of some dedicated individuals and teams, and a clear desire to do things right, and ‘to do the right thing’.

“Structures are outdated, siloed, and require better coordination with resource allocation to these areas of business not reflecting their importance. It is no surprise, therefore, that associated policies, processes, practices, training, and attitudes, where they do exist, are not effectively adapted and remain too generic.

“There is an apparent presumption of knowledge in relation to generic Microsoft technologies, and a lower level of understanding of the risk of internal data sharing and good practice.

“The FoI process has no single comprehensive standard operating procedure, case tracking system or clearly defined roles and responsibilities. PSNI is unique in high levels of usage of FoI by its own officers and staff. The Data Protection Act 2018 is still not fully embedded, in particular the accountability principles, and there needs to be an improved understanding of what data is processed, more focus on high risk activities and improved monitoring.”

Mr O’Doherty said: “This is considered to have been the most significant data breach that has ever occurred in the history of UK policing, not only because of the nature and volume of compromised data, but because of the political history and context that sets the backdrop of contemporary policing in Northern Ireland and therefore the actual, or perceived, threats towards officers, staff, and communities.

“With the significant threats facing policing by external cyber threat actors, we can’t allow ourselves to be vulnerable from within and must do everything in our power to protect our data, information, and infrastructure, and give our staff and members of the public, the absolute confidence and trust that we will protect their information.

“In order to achieve this, we must foster a more modern and robust approach to information management and security, and ensure we have the leadership, governance, structures, and systems in place to protect the institution of policing and everyone who is part of it and affected by it.

“This report not only services to highlight how the breach occurred and what measures must be taken to prevent this from ever happening again, it is a wake-up call for every force across the UK to take the protection and security of data and information as seriously as possible and in this way, many of the recommendations in this report may apply to many other police forces.”

He said the report’s recommendations are intended to minimise the risk of any such data breach happening again, adding: “Many will be of relevance to other police forces, and chief constables are encouraged to ask themselves the question of how safe, and how well prepared their forces are.”

The Police Federation for Northern Ireland (PFNI) says it will take ‘significant additional investment’ to implement the series of recommendations made in a review into the major data breach.

In an initial reaction, PFNI chair Liam Kelly said: “We will carefully consider this report by the NPCC into the breach where the PSNI released into the public domain some personal details of officers and staff including their surnames, rank/grade and where they were stationed.

“The breach was monumental and caused massive upheaval with some officers and staff feeling their personal safety and security had been compromised. We will subject this report to detailed scrutiny and examine the recommendations that are made.”