The personal details of Northern Ireland’s main police force have been leaked – three reasons why that’s incredibly dangerous.

Data breaches are not a good look for any institution or organisation.

But depending on the nature of the data leaked and the organisation, some breaches can be more serious and have greater consequences than others.

Written by Kevin Hearty, Queen’s University Belfast. This article is the opinion of the author and not necessarily that of the UK Defence Journal. If you would like to submit your own article on this topic or any other, please see our submission guidelines

This is certainly true of the Police Service of Northern Ireland (PSNI), which has accidentally published information about all its police officers and civilian personnel in response to a freedom of information (FoI) request. This included a spreadsheet containing their names, their roles and where they were based.

The document was available online for several hours on the FoI website What Do They Know before being taken down. The PSNI is conducting an investigation into how this happened.

It has been reported that the spreadsheet contained approximately 345,000 pieces of data relating to every police officer. In confirming the breach, the PSNI attributed it to “human error” and stated that they were taking the matter “extremely seriously”.

PSNI chief constable Simon Byrne said in a press conference that dissident republicans claim to have some of the information and that the force is considering whether officers need to be moved from their places of work for their safety.

The data breach is said to encompass all serving staff including specialist firearms units, the tactical support group (which is responsible for public order and riot control) and those assigned to the specialist operations branch who command and assist in complex investigations.

A remarkable wealth of information about PSNI personnel has been leaked, by any stretch of the imagination. Of the many reasons why this is so serious, three stick out in particular.

1. Risking violence

A data breach of this nature is likely to leave any police force red-faced, yet for the PSNI the consequences extend far beyond public embarrassment. The long and contested history of problems with policing in Northern Ireland means that there are both practical dangers and specific sensitivities that even the most well-crafted apology won’t be able to assuage.

The most immediate problem is that the personal information of serving police officers is now potentially in the public domain. This raises the question of who might have accessed this information and what they might do with it.

Today’s levels of violence in the north of Ireland are incomparable to the past but the threat of violence against serving police officers remains. This threat comes mainly from armed Irish republican groups who have rejected the peace process and Good Friday agreement.

To them, PSNI officers represent “legitimate targets” because they uphold the constitutional status quo of post-Good Friday agreement Northern Ireland. Unlike other nationalists and more moderate republicans who have come to accept reformed policing, for these armed groups the PSNI remains a “British” police force tasked with enforcing partition on the island of Ireland.

The live nature of the threat to PSNI officers was brutally reiterated this year when PSNI detective chief inspector John Caldwell was shot in County Tyrone in February. Several of the people due to be tried for his attempted murder are also accused of being involved with the IRA.

Crucially, Caldwell was targeted while he was off duty and packing up after leading a youth football training session. The people who attacked him appear to have known where to find him outside of work, clearly illustrating how personal information about PSNI officers could be used to devastating effect.

To make matters worse, it has been reported that the details of 40 PSNI staff based at MI5 are included in the breach. Personnel of this nature would surely represent prize targets to Irish republicans.

Any attack on these people that resulted in injury or death would be seen as a huge propaganda coup at a time when the armed campaigns of these groups are sporadic and stuttering.

2. Stoking community tensions

At the same time, the data breach speaks to a more difficult question around just how accepted the PSNI are in certain working-class communities. The struggle to recruit officers from working-class Catholic, nationalist, republican backgrounds is well documented.

Anyone from this background within the PSNI is unlikely to tell anyone beyond their closest family and friends what their job is. This is partly because of the security threat but also because of the problematic relationship their community had with the PSNI’s predecessor force, the Royal Ulster Constabulary.

Yet the PSNI is also experiencing difficulty recruiting from working-class Protestant, unionist, loyalist areas too. Ongoing political tensions, including Brexit, disputes about which flags should fly over public buildings in Northern Ireland and the policing of Orange Order parades, have put these communities at a remove from the PSNI. It is unlikely, then, that officers from within these communities would make their jobs publicly known either.

3. Reviving unresolved grievances

Some will also have been reminded of the past by this data breach, which has echoes of the deliberate intelligence leaks that used to come out of the Royal Ulster Constabulary during the years of conflict. The force passed the personal details of nationalists to state agents within loyalist groups, who are accused of then murdering them.

This remains at the core of grievances over state collusion during the Troubles. While this latest data breach is different in nature, it nonetheless rubs at a sore spot for victims still waiting for truth and justice.

The leaking of personal details about every serving PSNI officer is without doubt an unmitigated disaster for the PSNI, politically and organisationally. While the force has apparently set up a “gold group” – the highest internal emergency response – significant damage has already been done.The Conversation

This article is republished from The Conversation under a Creative Commons license. Read the original article.

RELATED ARTICLESMORE FROM AUTHOR

18 COMMENTS

  1. The Online Safety Bill proposes that we decrease messaging security level in the UK. Nobody really knows how this should be done, but suggestions include message apps like Whatsapp and Signal have back doors built in, compromising end-to-end encryption, or more likely that AI monitors all communication at the level of the app and silently sends back warnings to the police if it “thinks” the communicator is up to no good.

    This reverses the current Digital Defence mantra: “Secure by Design”.

    The government, driven by concerns of child safety, are willing to compromise privacy and security. The technology minister said “This government will not allow the lives of our children to be put at stake whenever they go online.” However it seems they will allow everybody’s safety, those of children and adults, to rest in the hands of barely understood technology that is almost certain to be repurposed by hackers in the future. AI is far more stupid than the police, and even the police make mistakes.

    This is a yet another timely reminder of what happens when we get data security wrong. MOD civil servants and the military use Whatsapp and Signal just like everyone else. Secure by Design is the only safe solution.

    • The problem you outline is that mega databases inevitably leak.

      However securely you design them: humans are involved.

      So aggregating people’s data is an inevitable issue. You add to that the lack of transparency and the evaporation of checks and balances in the UK legal system and you have a disaster brewing.

      Particularly as Plod will demand access ‘operationally necessary’, ‘keeping people safe’ to it as well so nothing will be private or secure anymore as it will be being sold out of the back door as PNC data has always been sold. Really, it is more to do with very lazy policing without getting to know and understand specific people.

      Look at Snowden in the USA that wasn’t a technical but deliberate leak. Much for the same reasons, as here, that it is ‘easier’ to give lots of people ‘admin’ level access than to design proper granular security systems.

      The issue that the article never touches is on is that the first principle of data security is that data extraction should never involve dumping the whole database in Excel and then manipulating it. That must be done on the database in systems tools. The data set is only kept on the system and you use EAR (Encryption At Rest) to secure the data so if there is a hack there is no useful data to steal.

      There is never a circumstance where an unencrypted backup is made.

      Mirror copies, incremental and timed backups exist but they are always backed up with EAR on.

      The very idea that sort of data can be extracted from the database and put into a file that will go onto a laptop is crazy scary.

      Whilst I fully appreciate how very, very stupid and incompetent Plod leadership are this leak points to the fact that there are no proper data controls in place in Plod systems.

      The sad an inevitable conclusion of this is that as Plod has access to most things that means there is no effective data security.

      Maybe the Police Federation should direct their angst at this rather than navel gazing, as usual, it is evyones’ data that is at risk from the idiots running this mess.

      • I can’t talk for plod, however, the services further up the tree will be using ESN before the emergency services. We had ESN beta for the London and South East group last year and it worked reasonably well, save for a few seconds delay on the odd occasion. We cannot use WhatsApp or anything like that. Our devices will not allow us to put anything on them, we have the technical branch for that. The system works just the same as a mobile telephone using EE. I never used the push-to-talk feature, it wasn’t turned on. The big difference is it doesn’t drop out or have black spots (I can almost guarantee I will find one in the first week of using it).

        As for our laptops, we have two sets of security keys just to unlock and open the files. When open, the device is in transmit mode back to the factory. If the factory doesn’t shake hands, it won’t open. Once a key has been removed, the laptops instantly lock. The keys won’t work without our biometric input. Anything that’s needed in it’s own format are now carried on a special dongle that cannot be opened by putting into a bog standard laptop. If it’s not a service device it will not even communicate with the laptop/desktop/reader.

        I am not saying it cannot be broken or is 100% secure, or infallible,. but it’s as good as you can get.

  2. While the FOI breach is the largest one, it’s actually only one of four breaches this summer with laptops and files being stolen from unattended cars, or just left on vehicles roofs by accident in the latest event. The FOI breach had multiple checkpoints in the process that should have prevented the data being published but each failed utterly, all of which suggests that the PSNI culture around data security needs to be reviewed fairly quickly.

    • The first problem is they don’t understand what days security actually is.

      Most SME’s have better data security than that.

  3. Thanks for clearing up a lot of confusion on my part. Someone better get their acts together,or has sufficient damage occured???🧐

  4. The picture is of Scottish police!
    I once attended a conference on the mainland and N.I terrorist threat. At the end I remember asking “what about N.I.?” as it hadn’t been mentioned once. The presenter replied “oh yes,we forgot about them”

    • Ah yes Russ-NI overlooked coz we’re the “wee bit attached” from across the water! 😁Some sort of reform was of course absolutely necessary but in some areas, such is the lingering bitterness that it is still almost Mission Imposible. One of my cousins was injured at a roadblock whilst serving with the RUC so for him it is hard to forgive and forget although he is long retired.
      As to data breaches-I know little about modern security systems but as with comments above it must be very difficult to secure information. If dissident republicans want to target certain PSNI members they only have to find out where they live or what school they went not to mention if their name is Paddy or Bill!!😉

      • It should be noted that the last attack on the PSNI officer was actually a “cross community” action, as his work had been impacting one of the Loyalist drug gangs so they helped the dissident Republicans for the attack.

        As I posted the PSNI have now admitted to 4 separate data breeches with the added “bonus” of reawakening tensions between the Protestant and Catholic members of the service.

        Not a great time, wonder if the Gardaí might try poaching more from them?

        • Hi Mark. I hope you are well. You are absolutely correct to point out the reality of cross community action. The old Prod vs Catholic situation is becoming far less relevant in NI-witness the growth of the Alliance Party for example, and of course as the Police Service becomes more integrated then there arises the possibility of Loyalist action against Catholic Officers.

          • Not just the officers, remember the main leak they have had has given out the names and addresses of all the clerical staff and everyone else on staff payroll. There’s been some interviews with Catholics who hadn’t even told family they were working for the PSNI and are now dealing with the fallout, a few have already said they are leaving NI due to concerns for their families…

  5. Human error… firstly, why is sensitive information taken from a place of work? People like Dyson do not allow employees to take laptops, notebooks, tablets or written material from their workplace.

    I do not see why anyone anywhere, should be allowed to take sensitive and or classified material from any workplace.

    • The issue is humans. We are not infallible.

      Subject to whom you work for Tom, you are allowed to transmit some stuff. By having the correct measures in place, you can remove it. Being secure on both sides often mean you can only transfer data between a government location to another government location. If you cannot verify the receiving centre’s efficacy, you end up taking a device with you that (should) has encryption combined with a reasonable set of security keys.

      Some data simply cannot be transmitted, I have travelled miles in my last posting to attend a meeting that went on for mere minutes. In other cases I have been on video calls where one of number present said some outlandish stuff that had no place being mentioned online using the equipment and locations of some of those present had/were.

      People always muck it up.

LEAVE A REPLY

Please enter your comment!
Please enter your name here