We need your help now
Support from readers like you keeps The Journal open.
You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.
If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.
Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
By continuing, you are indicating that you accept our Terms of Service and Privacy Policy.
LAST UPDATE | 9 Aug 2023
THE POLICE SERVICE of Northern Ireland has declared as a “critical incident” a major data breach which resulted in personal and employment data of all staff being published online.
Meanwhile, a second data breach has emerged after the PSNI confirmed the theft of documents, including a spreadsheet containing the names of more than 200 serving officers and staff, from a private vehicle last month.
Assistant Chief Constable Chris Todd said the service is investigating the circumstances surrounding the theft.
“The documents, along with a police issue laptop and radio, were believed to have been stolen from a private vehicle in the Newtownabbey area on 6 July,” said Todd.
“We have contacted the officers and staff concerned to make them aware of the incident and an initial notification has been made to the office of the Information Commissioner regarding the data breach.”
The second breach has been confirmed following an apology from the PSNI for a “critical incident” which affected some 10,000 officers and staff.
This breach occurred when the service responded to a Freedom of Information request seeking the number of officers and staff of all ranks and grades across the organisation.
In the published response to this request, a table was embedded which contained the rank and grade data, but also included detailed information that attached the surname, initial, location and departments for all PSNI employees.
The data was potentially viewable by the public for between 2.5 to three hours.
Speaking today, Assistant Chief Constable Chris Todd said the PSNI’s investigation into this breach is ongoing.
“I can confirm that, following a routine Freedom of Information (FoI) request data contained within a spreadsheet was published on a legitimate FoI website,” said Todd.
“This included the surname, initials, rank/grade, role and location of all serving officers and staff. This data was available to view on the website for a period of up to three hours before it was removed.”
Todd added that the PSNI is “acutely aware of the seriousness of this breach and have declared it to be a critical incident”.
“We are working hard to do everything we can to mitigate any risk. We are working with our security partners and organisations to investigate this incident.”
The PSNI Assistant Chief Constable added that updated personal security advice has been issued to all staff and an “emergency threat assessment group” has been established.
Todd also said that an Independent Advisor will conduct an “end to end review of our processes in order to understand what happened, how it happened and what we can do immediately to prevent such a breach happening in the future”.
Meanwhile, Todd said that PSNI Chief Constable Simon Byrne is cutting short a family holiday due to the “extremely serious situation” and confirmed that Byrne will attend tomorrow’s special sitting of the Northern Ireland Policing Board.
Liam Kelly, chairman of the Police Federation for Northern Ireland (PFNI) which represents rank and file officers, said he has been “inundated” with messages from officers who are “shocked, dismayed and basically angry”.
Our officers go to great lengths to protect their identities. Some of them don’t even tell their close friends and associates that they are actually in the police.”
Kelly told BBC Radio 4′s Today programme that in his 29 years in the police service, he has “never experienced something like this”.
Police in the region are under threat from terrorists, with the current assessed level of threat at severe, meaning an attack is highly likely.
Earlier this year, Chief Constable Simon Byrne said he received briefings almost every day about plots to attack and kill his officers, adding that the ongoing threat from dissident republicans remains a “real worry”.
Kelly said that legal action is “something we will consider once the investigation concludes” and that he is not willing to do a vote of no confidence in the chief constable “at this point”.
Speaking this evening, Kelly said that confirmation of a second data breach “makes matters worse”.
“Clearly, urgent answers are required. How did this happen? What steps were put in place to advise and safeguard so many colleagues? How did this actually happen?
“The major security breach was bad enough but this heaps further additional pressure on the PSNI to produce credible explanations around data security protocols and the impact on officer safety.”
Elsewhere, Northern Ireland Secretary Chris Heaton-Harris said he is “deeply concerned” and added that “senior officers are keeping me updated.”
Addressing the media in Belfast yesterday evening, PSNI Assistant Chief Constable Chris Todd apologised to officers for the “unacceptable” breach following the FOI request.
He said that, once it was brought to the PSNI’s attention, it was taken down “quickly”, and that early indications are it was a “simple human error”.
Todd also said there are no immediate security concerns, but the situation is being monitored.
“The information was taken down very quickly but, nevertheless, I do appreciate the concern, of course we will seek to find the extent to which that has been viewed,” he said.
“What I would say is that, although the error was our own, once that information was out there if anybody did have access to it I would ask them to delete it straight away.”
The incident was first reported by the Belfast Telegraph, which said it had viewed the uploaded material after being contacted by a relative of a serving officer.
Apart from the person who released the information, the PSNI was unaware of it until it was seen on a website, Todd confirmed.
He said that despite the data only including surnames and initials, the breach will still be “of significant concern to many of my colleagues”.
“We will ensure we do anything we can to mitigate any security risks that are identified.”
He added: “We’ve looked into the circumstances, we’ll continue with our investigation, but the very early considerations are that this is simple human error and the people who have been involved in the process have acted in good faith.
“We’ve identified some steps that we can take to ensure that it doesn’t happen again.
“It is regrettable but it is simple human error.”
Politicians have reacted with shock since the news of the breach came to light yesterday evening.
Sinn Féin vice president Michelle O’Neill described it as “very worrying”.
“I’m very mindful of the officers, the staff and their families at this time,” she said. “But we now need all the facts laid out bare for us all to see.”
She said she hoped accountability would be achieved in an emergency policing board meeting tomorrow.
Asked if Chief Constable Simon Byrne should step down over the data breach, O’Neill said: “I think the story is unfolding but what’s very clear is that we need to have this emergency policing board meeting… we need to see the reason why this happened… and there needs to be accountability around all of that.
Speaking to RTÉ’s Morning Ireland today, Alliance MLA and former Justice Minister Naomi Long has said a serious aspect of the breach is the “human and financial cost of what has happened”.
“There will have been officers, their families, members of civilian staff and their families, who will have spent a very uncomfortable night last night feeling exposed and vulnerable in a way that they previously didn’t,” Long said.
“There will be many officers whose name, rank and base where they work will already be in the public domain and for them, in some ways, this will not affect their level of security threat,” she said.
However, Long added that “for others, for civilian staff, for officers who work in particularly sensitive areas” and their families could feel “incredibly vulnerable”.
“This is an incredibly serious situation,” she said.
“While I understand that it is, if you like, simple human error that led to the breach, I think there are systemic failures that need to be properly investigated as to how a single individual could ever have been in a position to release that amount of data anywhere, in any shape or form, without proper checks,” Long added.
Doug Beattie, leader of the Ulster Unionist Party, said everyone should be concerned about the data breach.
“Until we know the full extent of this and the repercussions from it, I think we all need to keep some cool heads.
“But the most important thing here is to rally around those police officers and their families and civilian staff who are affected by this.
“And they’re the ones that we need to really focus on at this moment in time.”
Asked if the Chief Constable should resign over the matter, Beattie said: “I think it’s too early to be in the space to call for anybody to resign. But the more we get to know about this, the more we can make informed decisions.
“But right now, there’s no point doing speculation, it’s better getting the information.”
DUP MLA for South Antrim, Trevor Clarke, a member of the Northern Ireland Policing Board, said they would look for answers when it meets tomorrow, and pinned some blame on Heaton-Harris.
“The Secretary of State has presided over a budget, which is the worst that the police have ever had – they’ve looked to reduce numbers at a time they should’ve been increasing numbers,” he told BBC Radio 4’s World Tonight.
A spokesman for the Information Commissioner’s Office said the PSNI “has made us aware of an incident and we are assessing the information provided”.
Includes reporting by Press Association and Diarmuid Pepper
To embed this post, copy the code below on your site
What ìďìòt thought that this would be OK.
That is the most dreadful thing to happen, putting so many lives in danger. Heads should roll over this.
@Playmisty4me: What heads? If you were my boss and against policy I published private company records, should you be fired?
If I want to pay off a few quid off my credit card on-line, I have to go thro three or four processes, before I can do it, yet the PSNI data was easily transferred to anyone who wanted to download it. Unbelievable lack of basis common sense
What a lawless state, the six counties! Liam Kelly, chairman of the Police Federation for Northern Ireland said “some (PSNI) might be working for the security services in MI5″
The Covert Human Intelligence Sources (Criminal Conduct) Bill was introduced into parliament in September 2020, became law in the UK in 2021. This law provides MI5, in explicit terms, with the power, through its officers (those in MI5′s employ), to authorise its ‘agents’ to engage in conduct (including crimes at the very upper level of seriousness)that would normally constitute one criminal offence or another.
We know from the De silva report that agents acting on information given to them by security services went on to murder Belfast solicitor, Pat Finucane and their crime was and is covered up by these “security” services. De Silva concluded – inter alia – that he was ‘left in significant doubt as to whether Patrick Finucane would have been murdered by the UDA in February 1989 had it not been for the different strands of involvement by elements of the State’
These agencies are acting outside the law and, incredibly, are working alongside Irish agencies in many cases.
It’s time to evaluate our cooperation with British security services and, just maybe, begin acting like a lawful republic
@John John: Provo or not, it is illegal to murder someone. If the British state was involved, it is even worse.
Storming needs to return to work and earn their pay. Northern Ireland have many issues that need to be addressed now not somewhere down the road
That’s a lot of sensitive data, open online for 3 hours. The online server will have logfiles indicating if any of the data was accessed or downloaded. The very least they’ll see is the number of times the active online page was accessed, I would expect that the webserver log will also give details of IP numbers. A little detective work required to estimate the possible extent of the damage, and estimate the risk properly.
@Tom Hogarty: for sure , but also raises some bigger concerns for the levels of cyber security in the force / if one individual is able to access this level of data this should trigger all sorts of alarms for their internal processes / extra embarrassing that it’s the most sensitive data for the whole force including mi5 operatives / frankly unbelievable and exposes the risk that one crooked worker could be bribed to access all this valuable data in the first place / safe to assume this ain’t cyber security best practice by the police of all organisations / mind boggles
@Dave Hammond: come on, the IT support guys would have had ample access to their dbms at anytime given what is now known
Amateurs and a failed state. The hits just keep on coming
Sad to think that both of the police forces on this island have become afraid of what the thugs & terrorists might do to them, while they (the thugs) have zero such concerns. Well done the civil liberties (without responsibilities) groups.
No “four eye principle” ???
Management level needs replacing.
i hope no IRA cowards got any info
@TomDuffy: Fortunately for you, you can hide behind your keyboard typing about ‘IRA côwârds’.
Oh no. Anyway
His majesty finest
HI John john
Use precise geolocation data. Actively scan device characteristics for identification. Store and/or access information on a device. Personalised advertising and content, advertising and content measurement, audience research and services development.
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not be able to monitor our performance.
Cookies, device or similar online identifiers (e.g. login-based identifiers, randomly assigned identifiers, network based identifiers) together with other information (e.g. browser type and information, language, screen size, supported technologies etc.) can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here.
Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are (or have been) interacting with (for example, to limit the number of times an ad is presented to you).
Information about your activity on this service (such as forms you submit, content you look at) can be stored and combined with other information about you (for example, information from your previous activity on this service and other websites or apps) or similar users. This is then used to build or improve a profile about you (that might include possible interests and personal aspects). Your profile can be used (also later) to present advertising that appears more relevant based on your possible interests by this and other entities.
Advertising presented to you on this service can be based on your advertising profiles, which can reflect your activity on this service or other websites or apps (like the forms you submit, content you look at), possible interests and personal aspects.
Information about your activity on this service (for instance, forms you submit, non-advertising content you look at) can be stored and combined with other information about you (such as your previous activity on this service or other websites or apps) or similar users. This is then used to build or improve a profile about you (which might for example include possible interests and personal aspects). Your profile can be used (also later) to present content that appears more relevant based on your possible interests, such as by adapting the order in which content is shown to you, so that it is even easier for you to find content that matches your interests.
Content presented to you on this service can be based on your content personalisation profiles, which can reflect your activity on this or other services (for instance, the forms you submit, content you look at), possible interests and personal aspects. This can for example be used to adapt the order in which content is shown to you, so that it is even easier for you to find (non-advertising) content that matches your interests.
Information regarding which advertising is presented to you and how you interact with it can be used to determine how well an advert has worked for you or other users and whether the goals of the advertising were reached. For instance, whether you saw an ad, whether you clicked on it, whether it led you to buy a product or visit a website, etc. This is very helpful to understand the relevance of advertising campaigns.
Information regarding which content is presented to you and how you interact with it can be used to determine whether the (non-advertising) content e.g. reached its intended audience and matched your interests. For instance, whether you read an article, watch a video, listen to a podcast or look at a product description, how long you spent on this service and the web pages you visit etc. This is very helpful to understand the relevance of (non-advertising) content that is shown to you.
Reports can be generated based on the combination of data sets (like user profiles, statistics, market research, analytics data) regarding your interactions and those of other users with advertising or (non-advertising) content to identify common characteristics (for instance, to determine which target audiences are more receptive to an ad campaign or to certain contents).
Information about your activity on this service, such as your interaction with ads or content, can be very helpful to improve products and services and to build new products and services based on user interactions, the type of audience, etc. This specific purpose does not include the development or improvement of user profiles and identifiers.
Content presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type, or which content you are (or have been) interacting with (for example, to limit the number of times a video or an article is presented to you).
With your acceptance, your precise location (within a radius of less than 500 metres) may be used in support of the purposes explained in this notice.
With your acceptance, certain characteristics specific to your device might be requested and used to distinguish it from other devices (such as the installed fonts or plugins, the resolution of your screen) in support of the purposes explained in this notice.
Your data can be used to monitor for and prevent unusual and possibly fraudulent activity (for example, regarding advertising, ad clicks by bots), and ensure systems and processes work properly and securely. It can also be used to correct any problems you, the publisher or the advertiser may encounter in the delivery of content and ads and in your interaction with them.
Certain information (like an IP address or device capabilities) is used to ensure the technical compatibility of the content or advertising, and to facilitate the transmission of the content or ad to your device.
Information about your activity on this service may be matched and combined with other information relating to you and originating from various sources (for instance your activity on a separate online service, your use of a loyalty card in-store, or your answers to a survey), in support of the purposes explained in this notice.
In support of the purposes explained in this notice, your device might be considered as likely linked to other devices that belong to you or your household (for instance because you are logged in to the same service on both your phone and your computer, or because you may use the same Internet connection on both devices).
Your device might be distinguished from other devices based on information it automatically sends when accessing the Internet (for instance, the IP address of your Internet connection or the type of browser you are using) in support of the purposes exposed in this notice.
The choices you make regarding the purposes and entities listed in this notice are saved and made available to those entities in the form of digital signals (such as a string of characters). This is necessary in order to enable both this service and those entities to respect such choices.
have your say