Two serious personal data incidents were reported on Tuesday, affecting residents of the UK:

• Police Service of Northern Ireland (PSNI) leaked the details of Police Officers and staff
• UK Electoral register was hacked for 15 months and “no-one noticed”

If you aren’t alarmed by this, you should be. Alarms should have been ringing before any of this happened. Ideally, none of this should have been allowed to happen at all by applying data governance policies and supporting software.

One of these incidents could be regarded as “human error”, affecting 10,000 employees – not forgetting their friends and families, and was immediately more serious and preventable. The other incident has compromised personal information; 40,000,000 UK residents of voting age and was regarded as ‘not very serious’, even though for different reasons it should be:

Northern Ireland Police Data Breach

This is clearly the most disturbing of the two incidents and given all of the data governance education and regulatory compliance steps that need to be followed these days, shows how far many organisations haven’t travelled – and how far they need to go.

In response to a Freedom of Information Act (FOIA) request on 3^rd August 2023: Could you provide the number of officers at each rank and number of staff at each grade?, the details of staff containing the surname, initials, rank, work location and departments for all PSNI employees was published of a website for 2.5 hours. What’s more, an Excel spreadsheet containing such sensitive information was allowed to be published and be accessed by anyone who had an interest in looking.

It also revealed members of the organised crime unit, intelligence officers stationed at ports and airports, officers in the surveillance unit and almost 40 PSNI staff based at MI5’s headquarters in Holywood, the Belfast Telegraph reported.

There are issues that jump straight out here:

• Someone had access, not only to this information, could post it on a website, and this had not been blocked by internal procedures. FOIA responses must be made publicly available. Having said that, it should have been obvious that the spreadsheet in its entirety must not have been posted.
• According to section 110 Datasets-FOI-Guidance:…. public authorities should in particular take account of the exemption in section 40(2) of FOIA, where disclosure of personal data would contravene DPA [Data Protection Act] principles.

‘Successful’ Cyber Attack / UK Electoral Register Hacked By ‘Hostile Actors’…….for 15 months

The Electoral Commission has admitted to a “complex cyber attack” affecting the details of 40 million people. This doesn’t feel too bad then. Especially that it was undertaken by ‘hostile actors’, and it was only the names and addresses of almost all the adults in the country. In addition to that, the Commission’s email system was hacked, meaning that email addresses and phone numbers of anyone who corresponded with them was compromised. Still not worried?

This incident was not disclosed for ten months while the “hostile actors” were removed from their systems. During this time “additional security measures” were put in place to protect our information.

At the time of writing, it is unclear how much information has been compromised, or who performed the attack.

In Summary:

Data governance may appear to be mundane and a time consuming and expensive exercise. It’s not exciting and it can be considered as getting in the way of day-to-day tasks. But some things are too important not to protect.

In the case of the PSNI leak, at the very least, simple procedure could have avoided this incident. Identifying this spreadsheet as highly sensitive could have alerted whoever copied this to their website and made them question what they were doing. Having said that, large amounts of sensitive information was available in an unencrypted format and could be freely copied to another location. Imagine how many copies of this and other spreadsheets are sitting on file shares and desktops.

Regarding the Electoral Commission, hackers are successful from time to time. Sophisticated attacks do work, but in this case, mitigations were made after this attack. They were unable to identify what information had been leaked. Understandably, details are limited because this is effectively an attack on our democracy. Let’s not worry though, I’m sure all our electoral information was stored in a single, secure, encrypted location!

If you think a Data Governance or Classification solution could help secure your business or want to learn more, get in touch today at info@handd.co.uk or phone +44 (0)845 643 4063.

Written by Paul Devlin,
Solutions Architect at HANDD Business Solutions