While data breaches can lead to irreparable reputational and financial damage – when they occur in front-line public-sector organisations like the police force, it’s also the safety of people and lives that are at stake.
And yet, a disastrous set of unrelated breaches have been reported by four UK police departments in the space of two weeks, with all confessing to having accidentally leaked their own data.
Norfolk and Suffolk released a joint statement attributing the personal data exposure of 1,230 people to “a technical issue” resulting in the data being included within files generated in response to Freedom of Information (FOI) requests.
This issue led to details including a range of offences, domestic incidents, sexual offences, assaults, thefts, and hate crimes temporarily published alongside names, addresses, and dates of birth.
FoI requests essentially give the UK public the right to access information held by public authorities. Often, the public will use it to find out how much money their council has spent on something, or to find out about updates on government projects.
In the case of the Police Service of Northern Ireland (PSNI) however, way too much information was released in error last week.
In response to the question: “Could you provide the number of officers at each rank and number of staff at each grade?” the recipient received not just a numerical table, but, by mistake, a huge Excel spreadsheet which was subsequently published on the internet for a couple of hours before being taken down, and which placed its 9,300 staff safety in jeopardy.
It has been reported that some officers have had to move job roles and even homes as the terror threat level remains severe in the country and police information could be used maliciously.
Meanwhile Cumbria Constabulary also admitted this week to inadvertently publishing the names and salaries of all its 2,000 officers and staff online earlier this year.
Although the police forces have made efforts to take the information down as soon as it was discovered, it could easily fall into the hands of bad actors.
Earlier this week, a version of the PSNI document was reposted online with a threatening message to the police. The force’s chief constable, Simon Byrne, said that it assumes the list will be used to “generate fear and uncertainty, as well as intimidating or targeting officers and staff.”
According to Amin Fard, managing director of Lyon, a specialist IT and technology services provider, once the information is leaked it becomes hard to predict where it might end up or how many copies of the information are generated.
According to Fard, it is human error that has been and will remain to be the major driver in cyber security breaches across information systems, accounting for almost 90% of breaches to date.
With the Northern Ireland incident, although the force initially claimed it was a junior member of staff who accidentally leaked the information, it has since been revealed that it had gone through five processes in four police departments before it was published.
Crucially, an FOI response should perhaps not rest on a single member of staff – and basic cyber security and data awareness training may have taught the force to carry out multiple checks before the publication of requests.
“The recent FoI data leaks within police forces serve as a timely reminder of the importance of cybersecurity at all levels of an organisation,” adds Andy Ward, VP international at cyber security firm Absolute Software.
“Especially in such a critical public service as police, where vast amounts of data are held; organisations must take precautionary measures to ensure that data leaks such as this are mitigated both from internal threats and malicious external actors,” he adds.
Senior data protection specialist at law firm Mishcon de Reya, Jon Baines comments: “Anyone disclosing infromation derived from sensitive data sets should take great care to ensure that they do not inadvertently release other information.”
Baines explains that spreadsheets are notorious examples of software that can appear to “hide” information, but actually leave it exposed.
“Most public authorities are aware of the risks of this when responding to FoI requests, but mistakes can still be made,” Baines admits.
Training is the only solution to combatting human errors, say the cyber professionals, however, it is not always at the forefront of everyone’s minds. Police forces, like many other organisations, find it hard to realise how knowledgeable staff can prevent breaches – until it’s too late.
“Training ends up becoming a secondary objective and the reason behind that is because there is no immediate return on investment,” Fard acknowledges.
Yet breached data can be held by malicious actors and only potentially returned for money, thus making a business loss they may have not prepared for – although the loss of money is nothing compared to the potential loss of life, in PSNI’s case.
Fard presses that businesses must train their employees, and police force their staff, and keep them up to date.
“It doesn’t necessarily mean that if today you end up training your entire workforce, you’ve done it and boxed ticked. It should become an ongoing piece as tactics end up becoming more advanced,” he stresses.
Fard also suggests that organisations should implement a ‘black box thinking method’ – like in an airplane where a black box will collect information on any error made by the plane, pilot, or cabin crew for the staff to review – employees in organisations should collectively review their own software security, and staff errors to see where they can learn and improve.
“If I were to have recommendations [for organisations], training would be number one, but two would be a black box thinking method,” he adds.
In agreement, Absolute Software’s Ward, says: “Organisations should implement a multi-stage approval data-handling process revolving around the safe handling and transfer of data to reduce the chance of a breach.”
“Internal threats, either of a malicious nature or from human error, are prevalent in all organisations. Police forces must monitor for signs of staff burnout that can increase the chance of errors and malicious insider threats from disgruntled staff or otherwise,” he adds.
Subscribe to our Editor's weekly newsletter
Newsletter
Share
