What’s going on with data breaches in UK police forces?

16 Aug 2023

Image: © StudioProX/Stock.adobe.com

Four police forces have revealed details of data breaches this month, which were reportedly caused by technical issues and human error.

The UK has faced a slew of data breaches in its police forces recently, impacting crime victims, witnesses and officers in sensitive positions.

Both Norfolk and Suffolk police constabularies claim to have leaked sensitive information due to a “technical issue”. The timing is a bit surprising, with two police forces in the UK suffering a data breach just days after the Police Service of Northern Ireland (PSNI) suffered a similar issue.

While the causes of these breaches are different, they were due to issues in responding to Freedom of Information (FOI) requests, according to the police forces.

What happened to the PSNI?

The first data breach occurred due to “human error”, according to the PSNI. This massive breach revealed the details of all current employees within the organisation, including those in sensitive positions such as MI5.

PSNI assistant chief constable Chris Todd said the data was published accidentally in response to an FOI request. The initial request was to understand the “total numbers of officers and staff at all ranks and grades across the organisation”.

But someone at the PSNI embedded the “source data” that contained far more information than requested. The data contained the surnames and initials of all current PSNI employees, along with their work location and department.

Todd said that PSNI staff operate in an environment that has a “severe threat” of terrorism and that this data breach is “the last thing that anybody in the organisation wants to be hearing”.

Since the breach, the PSNI’s chief constable has claimed that dissident republican obtained the information that was leaked in the data breach.

The force has set up an emergency threat assessment group to provide security advice to staff following the breach. About 1,200 staff have been referred to the group already, RTÉ reports.

What caused the Norfolk and Suffolk data breach?

These two police forces claim a technical issue led to some FOI responses containing “raw data” that included personally identifiable information of individuals connected to crimes. It is understood that the breach involves the data of more than 1,200 people.

In a joint statement, these police forces said the issue relates to a “very small percentage” of responses to FOI requests for crime statistics. The responses were issued between April 2021 and March 2022, according to the constabularies.

“The data impacted was information held on a specific police system and related to crime reports,” the statement read. “The data includes personal identifiable information on victims, witnesses and suspects, as well as descriptions of offences.”

The police forces plan to inform all the affected individuals by September and a specialist team of staff have been diverted to deal with this issue.

The statement claims the leaked data was hidden from anyone opening the files. Matt Cooke, cybersecurity strategist at Proofpoint, warned that “sophisticated cybercriminals certainly do have the skills to access such leaked data” and could use it for their own benefit.

“Everyone who works with data has a responsibility to understand how the data should be handled and shared to uphold the appropriate levels of confidentiality,” Cooke said. “The public sector has a duty to do that for its employees and its citizens.”

Has the UK suffered any other recent breaches?

Coincidentally, the UK is revealing a wave of other data breaches during this period. Cumbria police force recently said that it accidentally published the names and salaries of all of its 2,000 staff members. This data breach happened in March and was only made public this month, The Guardian reports.

Meanwhile, cyberattacks continue to pose a threat for the country. Last week, the UK’s electoral commission revealed it had suffered a “complex cyberattack”, which may have affected as many as 40m voters.

The electoral watchdog said the incident was identified in October 2022 after suspicious activity was detected on its systems. A spokesperson told SiliconRepublic.com that, while it is difficult to accurately predict the number of people affected, they estimate the register for each year holds the details of around 40m individuals.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic