In August 2023, the Police Service of Northern Ireland suffered from a cyber incident that resulted in 9483 police officers and civilian staff having their personal data exposed.
The breach occurred following the accidental release of data within an Excel spreadsheet following a Freedom of Information request.
This revealed the surnames and initials of current employees in the service, their rank or grade, and the location and department they work in.
An independent review of the event was requested by PSNI and the Northern Ireland Policing Board.
The team that conducted the review, led by NPCC Information Assurance lead and the Commissioner of the City of London Police, Pete O'Doherty, presented their results to PSNI and NIPB on December 11, 2023.
He added that many of the recommendations in the report may apply to many other police forces.
The investigating team added that, based on the information provided, the data breach was not the result of a credible threat being made against PSNI. The cyber incident led to the resignation of Chief Constable Simon Byrne a month later and more than 50 sickness absences.
Over 4000 PSNI employees, including civilians and police officers, are taking legal action against the force.
Top Eight Security Recommendations for PSNI. The NPCC review outlined 37 recommendations, including some that were kept private for security reasons.
Record strategic risks related to cyber and data value maximization and compliance, including its use in innovative technologies.
Ensure regular audits of data functions take place, considering cooperation with other specialists within policing or the public sector.
Reposition the senior information risk owner at a Deputy Chief Constable level.
The SIRO should also establish a force-level Data Board, including clear terms of reference and attendance by Information Asset Owners, data business area leads, and other business areas such as digital and corporate change.
Consider introducing a specialist role akin to a chief data officer overseeing and coordinating data functions.
Review the DPO's role, carefully considering statutory requirements, reporting lines, adequate resourcing, accountability functions and risk management.
Document the FOI process in one standard operating procedure, streamlining and de-duplicating all associated documentation.
Conduct a data maturity assessment with urgency to understand the organizational position and develop a program of work, continuously improving and coordinating existing services and building new capabilities, including data governance and data ethics.
Consider an executive-level sponsored organizational awareness campaign, including explaining the value of FOI, the message that information security and management is everyone's job, and of the importance whilst on and off duty.
Boutcher said that a Data Board is being established, as recommended by the review.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Tue, 12 Dec 2023 15:30:12 +0000