- Improper Data Access: Police Departments Admit to Accessing Personal Information Illegally
- Technical Issue Explanation: Norfolk and Suffolk Constabularies Attribute Breach to “Technical Issue”
- Response and Investigation: Steps Taken to Notify and Investigate Data Breach, Cybersecurity Concerns Raised
The data was concealed from anyone opening the files, but according to the forces, it should not have been included.
Two police departments have admitted to improperly accessing the personal information of 1,230 individuals, including victims and witnesses, while officers have been instructed to maintain an “open mind” regarding the matter.
The Norfolk and Suffolk constabularies explained that a “technical issue” led to the inclusion of the data in files produced in response to Freedom of Information (FOI) requests for crime statistics.
It contained data on a variety of crimes, including domestic incidents, sexual offenses, assaults, robberies, and hate crimes.
Names, addresses, and birth dates are among the affected data.
The constabularies stated in a joint statement that the information was concealed from anyone who opened the files.
Nonetheless, they acknowledged that it should not have been included in the responses issued between April 2021 and March 2022.
For “transparency purposes,” the FOI responses were also published on police department websites.
The Assistant Chief Constable of Suffolk Police, Eamonn Bridger, stated that there is currently no evidence that the data has been improperly accessed, but that they are maintaining an “open mind”
He stated that the armed forces kept “precise records of who received the information… but it’s too early to say what happened to all of it.”
He said that it “would require a degree of specialised knowledge” to identify the Freedom of Information Act responses.
The military said they are notifying everyone and that “some extremely vulnerable individuals” are affected.
This may be done via letter, phone, or in person, depending on the data and the individual’s protection needs.
Officers anticipate the completion of this procedure by the end of September.
According to Assistant Chief Constable Bridger, a member of the police personnel discovered the data breach. And the forces “took action as soon as we reasonably could”
A swift investigation was also initiated into how the incident occurred.
“If members of the public are not contacted by the constabularies, they do not need to take any action,” according to a statement from the police.
Check Point head security engineer Muhammad Yahya Patel said it was too early to assess data security.
“When they say the data is ‘hidden,’ they could be referring to encrypted files, password-protected documents. Or even a hidden Excel spreadsheet,” he explained.
“It is not a simple task to gain access to protected data. However, the language employed implies that we cannot yet be certain of its exact level of protection.”
Recent incidents, according to Mr. Patel, demonstrate the need for more education for those who handle sensitive data at work.
Given that Norfolk and Suffolk’s responses were issued some time ago, he opined that it could be a sign that police forces have been asked to evaluate their processes and that, as a result, additional historical violations may come to light.
A distinct data breach involving the Police Service of Northern Ireland (PSNI) occurred just days prior.
The force issued an apology for a self-inflicted breach after publishing the surname, initials, rank or grade, work location, and departments of all PSNI personnel in response to a Freedom of Information request.
According to the Belfast Telegraph, it also disclosed members of the organized crime unit, intelligence officers stationed at ports and airports, officers in the surveillance unit, and nearly 40 PSNI personnel based at MI5’s headquarters in Holywood.
The information was potentially accessible for between two and a half and three hours.