Governance & Risk Management , Incident & Breach Response , Privacy

UK ICO Fines Police Service of Northern Ireland 750,000 Pounds

A 2023 Breach Exposed Personal Details of All PSNI Officers and Staff
UK ICO Fines Police Service of Northern Ireland 750,000 Pounds
Police Service for Northern Ireland officers in riot gear raid a Belfast housing complex as they search for incendiary weapon on July 11, 2020. (Image: Shutterstock)

The U.K. data regulator imposed a fine of 750,000 pounds against the Police Service of Northern Ireland following a 2023 data breach that exposed personal details of the entire workforce.

See Also: Cyber Insurance Assessment Readiness Checklist

The breach revealed surnames, initials, ranks and roles of all 9,483 PSNI officers and staff - many who kept their employment a secret since law enforcement employment is still a sensitive subject in an area marked by persistent sectarian tensions (see: Northern Ireland Police at Risk After Serious Data Breach).

An investigation by the U.K. Information Commissioner's Office determined the breach occurred when the police force attempted to respond to two open records requests made through WhatDoTheyKnow, a website maintained by a British non-profit for facilitating applications made under the Freedom of Information Act. The site allows users to send request and publishes the results.

One request asked for the number of officers at each rank and number of staff at each civil service grade. The other sought to find out the number of police ranks held on an acting, temporary or permanent basis. PSNI staff downloaded a HR database to process the requests through an Excel spreadsheet - and forgot to remove the tab containing raw data, the ICO said in a statement posted just after midnight in Great Britain.

The information was publicly accessible on WhatDoTheyKnow for just over two hours until the platform deleted it. Dissident republicans who reject the power-sharing agreement between Ireland and the United Kingdom that quelled decades of conflict known as "The Troubles" obtained a copy.

"I don’t sleep at night. I continually get up through the night when I hear a noise outside to check that everything is ok," one affected staffer told ICO investigators. Another reported difficulties sleeping at night and that the family's children "are all stressed about my welfare, some of them have told me that they have nightmares about me getting attacked." Another who told investigators he disclosed his employment only to close family and friends worried that "many persons involved and linked to paramilitary groups and wider criminal circles in this area would know me or remember me from both school and childhood."

The British Security Service currently rates the terrorism threat level in Northern Ireland as "substantial," a medium rating that warns of a "likely" attack, but stops short of rating a terrorist incident as "highly likely."

The domestic intelligence agency lowered the level in March, after elevating it to "severe" a year earlier following an attempted assassination by dissident republicans against an off-duty detective in Omagh, County Tyrone.

The PSNI has already accepted liability, apologized for the breach and is holding mediation talks to determine compensation (see: Breach Roundup: PSNI Mediation Begins Over Data Leak Compensation).

The ICO said the fine amount of 750,000 pounds includes a substantial discount applied to government agencies. Without it, the amount would have been 5.6 million pounds, it said.

Deputy Chief Constable Chris Todd said the service accounted for the bulk of the fine in its budget, but will have to come up with an additional 140,000 pounds to pay off the full amount. "This fine will further compound the pressures the Service is facing," he said.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.