Police reps have expressed ‘dismay and anger’ after PSNI accidentally exposed names and job details of the force’s entire workforce of officers and civilians in response to an FOI request

Representatives of serving officers have warned that the Police Service of Northern Ireland has risked causing “incalculable damage” by accidentally leaking names and professionals details of the force’s entire workforce.

PSNI yesterday issued a statement revealing that it had published a spreadsheet containing the surnames and initials of all officers and civilian staff – comprising about 10,000 employees. Also included was details of their rank, unit or department, and where their role is based. The data was released as part of a response to a Freedom of Information request and remained available online for a little less than three hours before it was taken down at the force’s request.

PSNI’s senior information risk owner assistant chief constable Chris Todd said: “We have informed the organisation to make our officers and staff aware of the incident, appreciating the concern that this will cause many of our colleagues and families. We will do all that we can to mitigate any such concerns. An initial notification has been made to the office of the Information Commissioner regarding the data breach. The matter is being fully investigated and a Gold [strategic command] structure is in place to oversee the investigation and consequences. It is actively being reviewed to identify any security issues.”

Related content

• Officers pose as attackers for hire as NCA doubles number of ‘major cyber disruptions’ in FY23
• Data offered for sale after ransomware attack on Scottish university
• Home Office preps Plan B to ensure continuity of UK police database

It is not uncommon for officers and police staff in Northern Ireland to keep details of their employment as low profile as possible, as a result of the “threat [from] dissident republicans that want to kill and injure police officers” – as described by PSNI chief constable Simon Byrne.

“At the moment I am receiving virtually daily briefings about plots and plans to hurt police officers and to kill them,” he told PA in June, in an interview given shortly after the arrest of 11 people for the attempted murder in February of detective chief inspector John Caldwell, who was shot multiple times while off duty.

Responding to news of the data breach, chair of the Police Federation for Northern Ireland Liam Kelly said that his organisation represents “many colleagues who do everything possible to protect their police roles”.

“We’re fortunate that the PSNI spreadsheet didn’t contain officer and staff home addresses, otherwise we would be facing a potentially calamitous situation,” he added.

Kelly demanded an urgent inquiry into the breach and called for chief constable Byrne to provide the federation and PSNI officers with details of the actions being taken to protect employees’ identities and minimise the risks potentially created by the information leak.

“This is a breach of monumental proportions,” the federation head added. “Even if it was done accidentally, it still represents a data and security breach that should never have happened. Rigorous safeguards ought to have been in place to protect this valuable information which, if in the wrong hands, could do incalculable damage. The men and women I represent are appalled by this breach. They are shocked, dismayed and justifiably angry. Like me, they are demanding action to address this unprecedented disclosure of sensitive information.”

The UK government’s secretary of state for Northern Ireland, Chris Heaton-Harris, said that he is “deeply concerned by the data breach involving the PSNI [and] my officials are in close contact with senior officers and are keeping me updated”.

A spokesperson for UK data protection regulator the Information Commissioner’s Office said: “The Police Service of Northern Ireland has made us aware of an incident and we are assessing the information provided.”

The data exposed by PSNI is the second time in a matter of hours that a public body has admitted a significant data breach after the Electoral Commission announced that cyberattackers had gained unauthorised access to its email systems and electoral registration databases – and had gone undetected for 14 months.