A “monumental” data breach has exposed the names and rank of every serving police officer in Northern Ireland.
A spreadsheet was mistakenly published online detailing the surname, initial, rank or grade, location and the departments of all current Police Service of Northern Ireland officers and civilian staff members. It is understood that the breach does not involve private addresses.
The data was published in response to a freedom of information request at about 2.30pm, the PSNI said.
Its assistant chief constable, Chris Todd, has apologised to officers and said the severe terrorist threat facing officers has made news of the extensive data breach the “last thing that anybody in the organisation wants to be hearing”.
Todd added: “Regrettably, this evening, I’ve had to inform the Information Commissioner’s Office of a significant data breach that we’re responsible for. What’s happened is we’ve received a freedom of information request, that’s quite a routine inquiry, nothing untoward in that.
“We’ve responded to that request, which was seeking to understand the total numbers of officers and staff at all ranks and grade across the organisation, and in the response, unfortunately, one of our colleagues has embedded the source data, which informed that request.
“So, what was within that data was the surname, initial, the rank or grade, the location and the departments for each of our current employees across the police service.”
When asked if the chief constable, Simon Byrne, would be coming back from his summer break, Todd added: “I can’t speak on behalf of the chief constable, but he is certainly aware of this situation as it’s developed today.”
The data was available to the public for between two and a half to three hours, Todd said.
“We believe it was uploaded about 2.30 this afternoon,” he said. “It came to my attention as the senior information risk owner at about 4pm, with the cooperation of the host provider it was taken down within the hour.”
The chair of the Police Federation for Northern Ireland has called for an urgent inquiry. Liam Kelly said: “This is a breach of monumental proportions.
“Even if it was done accidentally, it still represents a data and security breach that should never have happened. Rigorous safeguards ought to have been in place to protect this valuable information which, if in the wrong hands, could do incalculable damage.
“Inadequate or poor oversight of FOI procedures must be addressed and addressed urgently. New safeguards are obviously required to prevent this from ever happening again.”
During the Troubles, police officers in Northern Ireland were regularly attacked by republican paramilitary groups. Members of the PSNI have also been targeted in gun and bomb attacks in the years after the Good Friday agreement.
In February, senior PSNI officer DCI John Caldwell suffered life-changing injuries when he was shot after coaching a youth football team in Omagh in County Tyrone.
Asked how useful the information released in the data breach would be to terrorist organisations, Todd said it would be of a “significant concern” to PSNI officers and staff.
“It is limited to surname and initial only, so there’s no other personal identifiable information contained within the information that was published,” he said. “That will be, still, a significant concern to many of my colleagues, I know that, and we will ensure that we do everything we can to mitigate any security risks that are identified.”
He added: “I’ve written to all my colleagues across the whole of the service this evening and explained to them the actions that we’re taking, giving them information to help them further protect their own personal security and those around them.
“We will listen to the concerns of all of our colleagues individually and address any concerns that are raised.”
The Northern Ireland secretary, Chris Heaton-Harris, said he was “deeply concerned” about the data breach. The Alliance leader Naomi Long MLA said the scale of the PSNI data breach was of “profound concern”, adding: “Immediate action must be taken to offer … proper information, support, guidance and necessary reassurances regarding their and their families’ security.
“Whilst the personal data has now been removed, once such information has been published online, it leaves an indelible footprint.”
Mike Nesbitt, the Ulster Unionist representative on the Policing Board of Northern Ireland, has called for an emergency meeting of the Policing Board on Wednesday.
The Information Commissioner’s Office (ICO) has been notified about the incident. An ICO spokesperson said: “The Police Service of Northern Ireland has made us aware of an incident and we are assessing the information provided.”