PSNI: over 4,000 officers contact threat assessment group as review brands leak most significant data breach in UK policing history
A similar number of force members are involved in potential legal action, according to new report
Last updated 11th Dec 2023
More than 4,000 PSNI officers have contacted a threat assessment group following the major data breach that rocked the force in the summer, it was revealed today (Monday).
And sensitive information published by the PSNI, passed through the hands of six people before being published.
That information emerged from an independent review which concluded that the leak was fundamentally the consequence of the PSNI not seizing opportunities to secure and protect its internal information..
The review headed by Pete O'Doherty, temporary commissioner from the City of London Police, said a "siloed approach" to information management functions was also a strong contributory factor.
The report, which has made 37 recommendations, said structures within the force for dealing with data are "outdated".
It also dealt with the impact the breach has had on the PSNI, stating that more than 4,000 officers and staff have contacted a threat assessment group, with a similar number involved in potential legal action.
In August the details of almost 9,500 PSNI officers and staff were mistakenly published in response to a Freedom of Information (FoI) request.
The list included the surname and first initial of every employee, their rank or grade, where they are based and the unit in which they work.
Police later said the information was in the hands of dissident republicans.
The PSNI has indicated that the data breach could potentially cost the force £240 million in security and legal costs
The controversy contributed to the resignation of then chief constable Simon Byrne and led the PSNI and Policing Board to commission the review.
In the report, Mr O'Doherty said: "This is considered to have been the most significant data breach that has ever occurred in the history of UK policing, not only because of the nature and volume of compromised data, but because of the political history and context that sets the backdrop of contemporary policing in Northern Ireland, and therefore the actual, or perceived, threats towards officers, staff, and communities."
In its findings, the report concluded: "It is now evident that the breach that occurred was not a result of a single isolated decision, act, or incident by any one person, team, or department.
"It was a consequence of many factors and, fundamentally, a result of PSNI as an organisation not seizing opportunities to better and more proactively secure and protect its data, to identify and prevent risk earlier on, or to do so in an agile and modern way.
"At the time of the incident these factors had not been identified by audit, risk management or scrutiny mechanisms internal or external to PSNI.
"This failure to recognise data as both a corporate asset and liability, coupled with a siloed approach to information management functions, have been strong contributory factors to the breach."
The report added: "Data and security are everyone's business and need to be managed and nurtured in the same way as people and financial resources."
It continued: "The need to better prioritise data, information and cyber security is not recognised at a strategic level or adequately driven by executive leaders.
"There is no force programme or strategy.
"Information asset owners (IAOs) are inconsistent. As such, there is an insufficient response at tactical and operational levels.
"Structures are outdated, siloed, and require better co-ordination with resource allocation to these areas of business not reflecting their importance.
"It is no surprise therefore that associated policies, processes, practices, training and attitudes, where they do exist, are not effectively adapted and remain too generic."
The report has made a number of recommendations, including the creation of a specialist role akin to chief data officer to oversee and co-ordinate data functions.
Mr O'Doherty said the findings of the report will also be of interest to other police forces in the UK.
The report said seven PSNI staff members were involved in dealing with the FoI response before the information was published online.
On the impact of the leak on the force, it said: "Of the 9,483 people involved, over 4,000 proactively contacted the threat assessment group set up by PSNI as a means of support and information.
"A similar number are thought to be part of a complaint to the ICO (Information Commissioner's Office), and a civil action against the force."
It added that, at the time the review was carried out, no officers or staff members had been moved for their safety, although one officer has relocated.
It said some officers have temporarily relocated and others expressed a desire to relocate, but were unable to due to financial reasons.
It said there has been one resignation and more than 50 sickness absences linked to the data breach.
The report said: "The review team heard of officers and staff now too frightened to visit friends or family, who have withdrawn from the social aspects of their lives, and who fear visiting their place of worship."
It continued: "The potential for operational consequences for the force is high.
"With recruitment and retention already problematic, especially amongst certain communities, this incident is unlikely to provide confidence to those wanting to become part of the service but fearing identification."
Responding to the report, PSNI chief constable Jon Boutcher said: "The report highlights the fact that the breach that occurred was not a result of a single isolated decision, act nor incident by any one person, team or department, but more, a result of the PSNI as an organisation not better seizing opportunities to better and more proactively secure and protect its data, and identify and prevent risk earlier on, in an agile and modern way.
"The service executive team will now take time to consider the report and the recommendations contained within it."
Meanwhile, the Police Federation for Northern Ireland said it would take ‘significant additional investment’ to implement the series of recommendations.
In an initial reaction, PFNI Chair Liam Kelly said: “We will carefully consider this report by the National Police Chiefs’ Council into the breach where the PSNI released into the public domain some personal details of officers and staff including their surnames, rank/grade and where they were stationed.
“The breach was monumental and caused massive upheaval with some officers and staff feeling their personal safety and security had been compromised. We will subject this report to detailed scrutiny and examine the recommendations that are made.
"As the PSNI already has a significant deficit budget, it will simply be impossible for any of these costs to be absorbed by the Service, either now or in the future.
“Therefore, it is imperative the United Kingdom Government expeditiously allocates the required significant additional funding to enable the implementation of the recommendations. Ministers cannot walk away from their responsibilities or give the tiresome and lame excuse that as policing is a devolved matter, solutions and funding will have to come from a reconstituted Northern Ireland Executive.”