Incident & Breach Response
,
Security Operations
Independent Review Issues 37 Recommendations to Police Service of Northern Ireland
Northern Ireland officials are pledging to implement numerous data protection changes in the wake of an August data breach that exposed the surnames, roles and locations of all police officers and staff.
See Also: JavaScript and Blockchain: Technologies You Can’t Ignore
Detailed recommendations for improvements arrived Monday in the form of an independent review that was jointly commissioned by the Northern Ireland Policing Board and Simon Byrne, the chief constable of the Police Service of Northern Ireland, who stepped down in September.
Among the recommendations in the “Protecting From Within” report, published in a partially redacted form: Use key performance indicators to increase accountability for prioritizing “data, information and cybersecurity”; adopt a workflow management system to handle freedom of information requests; replace existing data loss prevention software; develop a data literacy training program; and seek internal champions to help promulgate it.
PSNI Chief Constable Jon Boutcher, appointed to the role in September and confirmed by the policing board in November, said in a statement that the board and he “will now take some time to fully digest and discuss the findings and the 37 recommendations made so that an action plan for implementation can be agreed.”
For a period of up to three hours on Aug. 8, the PSNI website hosted a spreadsheet containing the first initials and surnames, roles and locations of all officers and staff. The spreadsheet, included in a response to a Freedom of Information Act request, did not include home addresses. Lingering sectarian tensions have led many police officers and civilian employees to publicly hide their employment – especially members of the Catholic community, who might not even tell family members.
The terms of the joint independent review include investigating what led to the breach, including all “organizational, management or governance” shortcomings, and detailing needed improvements therein to prevent future data leaks as well as to “restore confidence in the organization’s approach to information security.”
Boutcher said: “The report highlights the fact that the breach that occurred was not a result of a single isolated decision, act nor incident by any one person, team or department, but more, a result of the PSNI as an organization not better seizing opportunities to better and more proactively secure and protect its data, and identify and prevent risk earlier on, in an agile and modern way.”
The report resulted from an independent investigation led by Peter O’Doherty, who became the temporary commissioner for the City of London Police in October, after serving as its assistant commissioner in charge of fraud and cybercrime investigations. He’s also the information assurance lead for the U.K. National Police Chiefs’ Council.
O’Doherty described the PSNI security lapse as being “the most significant data breach that has ever occurred in the history of U.K. policing, not only because of the nature and volume of compromised data, but because of the political history and context that sets the backdrop of contemporary policing in Northern Ireland and therefore the actual, or perceived, threats towards officers, staff and communities.”
He said the report does not review the force’s legal compliance with data protection laws, including the Data Protection Act and General Data Protection Regulation. Following the breach, the U.K. Information Commissioner’s Office launched a legal probe and said it has been “working with the PSNI to establish the level of risk and mitigations.”
The regulator said it received a copy of the joint report and that its investigation into the breach is ongoing. “Even the smallest of human errors can have major consequences,” an ICO spokesperson told Information Security Media Group. The incident “demonstrated how important it is to have robust measures in place to protect personal information, especially in a sensitive environment.”
The ICO in October reprimanded the PSNI for its failure “to have appropriate measures in place to prevent unlawful sharing of personal data including criminal data with the U.S. Department of Homeland Security.”
PSNI Elevates Information Risk Oversight
One report recommendation the PSNI has already implemented is that the senior information risk owner is now a deputy chief constable position. “This will ensure that information security and data protection matters will be immediately visible to the deputy chief constable, chief operating officer and chief constable and they can be afforded the support and attention they critically deserve,” Boutcher said.
Following the data breach, the PSNI launched Operation Sanukite for “consequence management,” to review its response to the breach and to help safeguard the physical security and welfare of PSNI personnel, following the exposure of their personal information. Days after the breach occurred, officials warned that dissident republicans possessed the information and that they would likely “use this list to generate fear and uncertainty as well as intimidating or targeting officers and staff.”
Police later arrested multiple suspects under the Terrorism Act.
Lessons Apply Broadly
The information management and security problems identified by the independent review – as well as the needed leadership, governance and technology correctives – likely apply to much more than the PSNI, O’Doherty said.
The report “is a wake-up call for every force across the U.K. to take the protection and security of data and information as seriously as possible and in this way, many of the recommendations in this report may apply to many other police forces,” he said.
In recent months, multiple British police forces have announced data breaches. Days after the Aug. 8 disclosure, the PSNI detailed a separate incident involving a lost laptop. The Constabularies of Norfolk and Suffolk said they had suffered their own accidental Freedom of Information Act breaches, exposing personal identifiable information on victims, witnesses and suspects, as well as descriptions of offenses.
Later that month, the London’s Metropolitan Police Service warned that names, ranks and photographs for potentially all 47,000 personnel may have been exposed.