A significant data breach has left Northern Ireland police officers "incredibly vulnerable." Liam Kelly, chair of the Police Federation for Northern Ireland (PFNI), emphasised the severity of the breach, suggesting that some officers might have to change roles for safety reasons.
PSNI data breach summary
The Police Service of Northern Ireland (PSNI) mistakenly published the surname, initials, rank/grade, work location, and department details of all its staff while responding to a Freedom of Information (FOI) request.
The breach did not release private addresses but did reveal members of sensitive departments such as the organized crime unit, intelligence officers, surveillance unit, and some stationed at MI5's headquarters.
Naomi Long, a member of The Alliance Party's said NI officers had been left "incredibly vulnerable" and there were "major questions" arising from the latest breach. She raised significant questions regarding the data's security questioning:
- Why was all this data held in one place?
- Why was it not encrypted?
- Why was a junior member of staff in a position to be able to access it? Given the sensitivity of such data, is that in itself not a concern?
The leaked information was public for about 2.5 to 3 hours before it was taken down. PSNI Assistant Chief Constable Chris Todd acknowledged and apologised for the breach, attributing it to "human error."
Human risk best practices
According to Chris Todd, the data breach was a result of "human error," even though those involved acted in good faith.
Human errors are inevitable to some extent, as no system or process is entirely foolproof. However, there are several measures that can be taken to minimize human errors, especially in critical systems:
Training and educationEnsure that all personnel are adequately trained for their roles. Regular training sessions can help in reinforcing best practices and updating knowledge based on the latest guidelines and technologies.
Double-checking and approvalsImplement multi-step approval processes, especially for critical actions. Before publishing or releasing any sensitive information, it should be reviewed and approved by another party.
User-friendly interfacesDesign systems and software in a way that they are intuitive and user-friendly. Clear prompts and warnings can prevent users from making unintentional mistakes.
Access controlEnsure that only authorized personnel have access to critical and sensitive information. Systems should implement role-based access controls to prevent unauthorized data access.
Data encryptionEncrypt sensitive data so that even if it's mistakenly shared or accessed, it remains unreadable without the decryption key.
Error reportingCreate an environment where employees can report mistakes without fear of retribution. Knowing about errors early can help in taking corrective actions faster.
Regular auditsConduct regular system and process audits to identify vulnerabilities and areas of potential human error.
Feedback loopsAfter any mistake, it's essential to analyse what went wrong and why. Feedback loops help in understanding the root causes and in implementing preventive measures.
Backup and recovery plansHave robust backup systems in place, and regularly test recovery plans. In case of an error, having a good recovery system can minimise damage.
Ensure that all guidelines, processes, and procedures are communicated clearly to all employees. Sometimes, human errors arise from misunderstandings or misinterpretations.
By integrating these measures, organisations can significantly reduce the risk of human errors and protect sensitive data and processes. Don't wait for a breach to remind you of the importance of human-centric security measures.