A major PSNI data breach is a “wake-up call” for all police forces and public sector bodies in the UK, the chief constable has said.
Jon Boutcher was speaking after an independent report into the breach found it was fundamentally the consequence of the service not seizing opportunities to secure and protect its internal information.
The review headed by Pete O’Doherty, temporary commissioner from the City of London Police, said a “siloed approach” to information management functions was also a strong contributory factor.
The report, which has made 37 recommendations, said structures within the force for dealing with data are “outdated”.
It also dealt with the impact the leak has had on the PSNI, saying that more than 4,000 officers and staff have contacted a threat assessment group, with a similar number involved in potential legal action.
Speaking at the Northern Ireland Policing Board in Belfast on Monday, Mr Boutcher said every police force and every public sector organisation should read the report into the incident.
“It’s certainly a wake-up call for every police force in the country in my view,” he said.
“It was difficult reading, but I accept and indeed embrace the learning within it. As the report shows no individual, team, department or decision or indeed act caused this breach.
The Policing Board and the PSNI have published the findings of the jointly commissioned independently led review into the PSNI Data Breach of 8 August 2023.
Read the report on our website: https://t.co/6laipH81eu pic.twitter.com/7nnnKVYXVeAdvertisement— NI Policing Board (@NIPolicingBoard) December 11, 2023
“This is an organisational failing and accumulation of issues. There are missed opportunities over a period of time.
“This report, as I say, is a wake-up call to everybody. We must take responsibility as a leadership team for this and prioritise information security in our day-to-day business in the same way as we do, particularly in Northern Ireland, with our physical security.”
In August the details of almost 9,500 PSNI officers and staff were mistakenly published in response to a Freedom of Information (FoI) request.
The list included the surname and first initial of every employee, their rank or grade, where they are based and the unit in which they work.
Police later said the information is in the hands of dissident republicans.
While the Information Commissioner has still to report on the breach, Mr Boutcher said work has been under way in response, including financial aid requests to help officers make security arrangements in their homes.
He added: “I want to thank our officers and staff for their responsibility, their dedication and indeed their resilience in dealing with this data breach in the way they have done.
“They’ve been incredibly stoic. They have very much, by and large, remained at work.
“I hope that they realise with the responses that we’ve already made within the organisation that we value the information that we have about them as indeed we do about all data that is held by the PSNI, and we will ensure that we become an organisation of best practice with regards the security of all information.”
The PSNI has indicated that the data breach could potentially cost the force £240 million in security and legal costs
The controversy contributed to the resignation of then chief constable Simon Byrne and led the PSNI and Policing Board to commission the review.
In the report, Mr O’Doherty said: “This is considered to have been the most significant data breach that has ever occurred in the history of UK policing, not only because of the nature and volume of compromised data, but because of the political history and context that sets the backdrop of contemporary policing in Northern Ireland and, therefore, the actual, or perceived, threats towards officers, staff, and communities.”
The report concluded: “It is now evident that the breach that occurred was not a result of a single isolated decision, act, or incident by any one person, team, or department.
“It was a consequence of many factors and, fundamentally, a result of PSNI as an organisation not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risk earlier on, or to do so in an agile and modern way.
“At the time of the incident these factors had not been identified by audit, risk management or scrutiny mechanisms internal or external to PSNI.
“This failure to recognise data as both a corporate asset and liability, coupled with a siloed approach to information management functions, have been strong contributory factors to the breach.”
The report added: “Data and security are everyone’s business and need to be managed and nurtured in the same way as people and financial resources.”
It continued: “The need to better prioritise data, information and cyber security is not recognised at a strategic level or adequately driven by executive leaders.
“There is no force programme or strategy.
“Information asset owners (IAOs) are inconsistent. As such, there is an insufficient response at tactical and operational levels.
“Structures are outdated, siloed, and require better co-ordination with resource allocation to these areas of business not reflecting their importance.
“It is no surprise therefore that associated policies, processes, practices, training and attitudes, where they do exist, are not effectively adapted and remain too generic.”
The report has made a number of recommendations, including the creation of a specialist role akin to chief data officer to oversee and co-ordinate data functions.
Mr O’Doherty said the findings of the report will also be of interest to other police forces in the UK.
The report said seven PSNI staff members were involved in dealing with the FoI response before the information was published online.
On the impact of the leak on the force, it said: “Of the 9,483 people involved, over 4,000 proactively contacted the threat assessment group set up by PSNI as a means of support and information.
“A similar number are thought to be part of a complaint to the ICO (Information Commissioner’s Office), and a civil action against the force.”
It added that, at the time the review was carried out, no officers or staff members had been moved for their safety, although one officer has relocated.
It said some officers have temporarily relocated and others expressed a desire to relocate, but were unable to due to financial reasons.
It said there has been one resignation and more than 50 sickness absences linked to the data breach.
The report said: “The review team heard of officers and staff now too frightened to visit friends or family, who have withdrawn from the social aspects of their lives, and who fear visiting their place of worship.”
It continued: “The potential for operational consequences for the force is high.
“With recruitment and retention already problematic, especially amongst certain communities, this incident is unlikely to provide confidence to those wanting to become part of the service but fearing identification.”
