Fears for the safety of undercover NI cops after data breach

Fears for the safety of undercover police covering dissident terrorist groups in Northern Ireland under as PSNI accidentally releases names of 10,000 officers and staff online

  • The PSNI apologised today after the information was accidentally leaked 
  • Liam Kelly, chair of the PFNI, said: ‘This is a breach of monumental proportions’

Fears have been raised for undercover police officers covering dissident groups in Northern Ireland after a data breach ‘of monumental proportions’.

There is fury today after the Police Service of Northern Ireland (PSNI) accidentally released private information about its officers and civilian workers in a freedom of information (FOI) request.

Containing the surnames of more than 10,000 people, the data appears to cover everyone within the service, from chief constable Simon Byrne down.

The major breach reportedly involves names, ranks and other personal data from employees of the, but does not involve the officers’ and civilians’ private addresses, it is understood. 

Liam Kelly, chairman of the Police Federation for Northern Ireland, told Sky News: ‘We have a number of people who are front-facing who are quite comfortable that the general public know where they work and who they are. 

‘But equally, we have a number of officers who work in more sensitive areas of policing where a veil of secrecy is their shield in protecting them from clear risks of dealing with the most dangerous people in our society, being our terrorists and our organised criminals.

‘So we have a number of people who are feeling particularly vulnerable because their identities have potentially been compromised by this.’

Liam Kelly, chairman of the Police Federation for Northern Ireland, told Sky News: ‘We have a number of people who are feeling particularly vulnerable because their identities have potentially been compromised by this.’

Naomi Long, the Alliance Party leader and a former justice minister in the Northern Ireland Executive, said: ‘Why was all this data held in one place? Why was it not encrypted? Why was a junior member of staff in a position to be able to access it? Given the sensitivity of such data, is that in itself not a concern?’

At a press conference in Belfast, PSNI Assistant Chief Constable Chris Todd (pictured) said the surnames, initials, the rank or grade, the location and the departments of all current officers had been accidentally published in response to a Freedom of Information (FOI) request

Naomi Long, the Alliance Party leader and a former justice minister in the Northern Ireland Executive, said: ‘Why was all this data held in one place? Why was it not encrypted? Why was a junior member of staff in a position to be able to access it? Given the sensitivity of such data, is that in itself not a concern?’ 

Mr Kelly also told BBC Radio 4’s Today programme: ‘Since this story broke yesterday afternoon I’ve been personally inundated with officers who are outlining that they are shocked, dismayed and basically angry that this has happened.

‘Our officers go to great lengths to protect their identities. Some of them don’t even tell their close friends and associates that they are actually in the police.’

He added: ‘Certainly in my 29 years of the police I’ve never experienced something like this, and quite rightly the PSNI have declared this matter as a critical incident and have reported it to the Information Commissioner’s office.

‘What my members and myself clearly need to hear from the PSNI is the steps that they intend to take to support not only our officers but their families.’

The request for information had asked for a breakdown of all staff rank and grades in the PSNI.

Northern Ireland Secretary Chris Heaton-Harris said he was ‘deeply concerned’ by the data breach, while the Police Federation for Northern Ireland (PFNI) said its members were ‘appalled’. 

Addressing the media in Belfast on Tuesday, Assistant Chief Constable Chris Todd apologised to officers for the ‘unacceptable’ breach.

He said that once it was brought to the PSNI’s attention it was taken down ‘quickly’, and that early indications were that this was a ‘simple human error’.

Mr Todd also said there were no immediate security concerns, but they were monitoring the situation.

‘I understand that that will be of considerable concern to many of my colleagues and their families indeed, at the moment,’ he said.

‘We operate in an environment at the moment where there’s a severe threat to our colleagues from Northern Ireland-related terrorism and this is the last thing that anybody in the organisation wants to be hearing this evening.

‘So, I owe it to all my colleagues to make sure that this is investigated thoroughly, and we’ve initiated that and will keep them informed, keep all the staff associations informed of that investigation, and we’ve been engaging with them throughout the afternoon.

‘The information was taken down very quickly but, nevertheless, I do appreciate the concern, of course we will seek to find the extent to which that has been viewed.

‘What I would say is that although the error was our own, once that information was out there if anybody did have access to it, I would ask them to delete it straight away.’

Mr Todd said: ‘In terms of the security for individuals, there’s nothing at the moment to suggest there’s any immediate security concerns, but we have put actions in place to ensure that if anything does arise we will be aware of that, and then we can mitigate accordingly’

He added: ‘We’ve identified some steps that we can take to ensure that it doesn’t happen again. It is regrettable but it is simple human error’

The incident was first reported by the Belfast Telegraph, which reported that it viewed the uploaded material after it was contacted by a relative of a serving officer.

Apart from the person who released the information, the PSNI was unaware the information had been released until they saw it on a website, Mr Todd confirmed.

He said that despite the data only including surnames and initials, the breach will still be ‘of significant concern to many of my colleagues’.

‘We will ensure we do anything we can to mitigate any security risks that are identified.’

He added: ‘We’ve looked into the circumstances, we’ll continue with our investigation, but the very early considerations are that this is simple human error and the people who have been involved in the process have acted in good faith.

‘We’ve identified some steps that we can take to ensure that it doesn’t happen again.

‘It is regrettable but it is simple human error.’

Liam Kelly, chair of the PFNI, said: ‘This is a breach of monumental proportions. Even if it was done accidentally, it still represents a data and security breach that should never have happened.

‘Rigorous safeguards ought to have been in place to protect this valuable information which, if in the wrong hands, could do incalculable damage.

Northern Ireland Secretary Chris Heaton-Harris (pictured) said he was ‘deeply concerned’ by the data breach, while the Police Federation for Northern Ireland said its members were ‘appalled’

Politicians have reacted with shock – the SDLP’s policing spokesman Mark H Durkan called on PSNI Chief Constable Simon Byrne (pictured) to make a statement

‘The men and women I represent are appalled by this breach. They are shocked, dismayed and justifiably angry. Like me, they are demanding action to address this unprecedented disclosure of sensitive information.’

A spreadsheet was published publicly online relating to how many officers the service has of each rank, but it had a second tab that contained more detailed information about thousands of staff members and their employment, the Belfast Telegraph reported.

The UUP representative on the Policing Board of Northern Ireland MLA Mike Nesbitt on Tuesday night called for an emergency meeting of the Policing Board.

He said: ‘It is imperative that officers, staff and their families and friends understand how seriously this breach is being taken, and that the board is determined to fulfil its oversight and challenge functions appropriately.’

He added: ‘I view this like a serious incident when people are seriously physically injured. The priority is to assist the injured. Only after that do you turn to examine the other issues.

‘In other words, my thoughts are with those whose names have been released into the public domain, who had a reasonable expectation this would never happen.’

READ MORE: Q&A: What data was accessed? Is my name and address online? Your questions answered after electoral roll cyber attack sees the details of more than 40 million people leaked

Senior police were last night meeting to discuss the breach which is being attributed to human error ahead, while Stormont politicians were calling for an emergency meeting.

Alliance leader Naomi Long MLA said: ‘This level of data breach is clearly of profound concern, not least to police officers, civilian staff and their families, who will be feeling incredibly vulnerable and exposed tonight, and in the days ahead.

‘Immediate action must be taken to offer them proper information, support, guidance and necessary reassurances regarding their and their families’ security.’

Other politicians have reacted with shock – the SDLP’s policing spokesman Mark H Durkan called on PSNI Chief Constable Simon Byrne to make a statement.

DUP MLA for South Antrim, Trevor Clarke, a member of the Northern Ireland Policing Board, said they would look for answers when it meets on Thursday, and pinned some blame on Mr Heaton-Harris.

‘The Secretary of State has presided over a budget, which is the worst that the police have ever had – they’ve looked to reduce numbers at a time they should’ve been increasing numbers,’ he told BBC Radio 4’s World Tonight.

Mr Todd said Mr Byrne is aware of the issue, but would not comment on whether he would return from his summer break to respond.

‘I’m the duty officer and I’m the senior information risk owner, so I take responsibility for this,’ he said.

The Information Commissioner’s Office (ICO) has been notified about the incident.

An ICO spokesman said: ‘The Police Service of Northern Ireland has made us aware of an incident and we are assessing the information provided.’

The PSNI was contacted for comment.

It came as it was revealed that more than 40 million voters may have had their data stolen in the biggest data breach in UK history.

The Electoral Commission has its headquarters located at 3 Bunhill Row in the City of London

The Electoral Commission revealed yesterday that ‘hostile actors’ had access to its systems for 14 months without being detected. It meant the hackers may have obtained the name and address of nearly every voter in the country.

The commission admitted it still did not ‘know conclusively what files may or may not have been accessed’ and what data was downloaded or copied. The criminals were able to view electoral registers with the names and addresses of at least 40 million people registered to vote between 2014 and 2022.

The attack on the Electoral Commission also compromised its file sharing and email system, allowing access to the online addresses and data of anyone who messaged its staff. The National Cyber Security Centre, which is probing the incident, did not rule out the possibility of a foreign state attack.

David Omand, a former GCHQ director, said Moscow was the prime suspect.

‘Russians, and I point to them in particular, have been interfering with democratic elections for some years now – think of the 2016 US election, and then the French election, and then the German election, even our own 2019 election,’ he said.

‘They have been trying to interfere with the democratic process. It is not at all surprising that hostile agencies would try and hack into the Electoral Commission.’

Sir David told BBC Radio 4 he cited Russia because of the record of its military intelligence and civilian agents in interfering with Western elections.’

Yesterday the commission stressed the data accessed would not allow anyone to meddle in parliamentary or council elections by impersonating voters. It also said it was confident the hackers did not edit or change the electoral registers.

But MPs called for the National Cyber Security Centre and Parliament’s intelligence and security committee to investigate how the data was being used.

READ MORE: TWO data breaches that defy belief: Details of more than 40 MILLION voters are exposed in a cyber attack on the electoral roll while the name of EVERY police officer in Northern Ireland is published in error 

Tory MP Simon Fell, chairman of the all-party parliamentary group on cyber security, said: ‘Frankly this attack has put us all at risk. What is so deeply concerning is the volume and scale of this data breach. 

‘A lot of this information may be in the public domain elsewhere, but where it has real value to the people who may want to cause us harm is it is all in one place. 

‘It must be the biggest single data set breach in the UK. Given the scale and complexity of this, there are very few groups capable of such an attack, the usual suspects would be Russia, China, Iran and North Korea.

‘But it is Russia that has a history of interference in elections.’

The attackers were able to access reference copies of the registers held for research purposes and for permissibility checks on political donations.

The registers included the name and address of anyone in the UK who was registered to vote between 2014 and 2022, as well as registered overseas voters.

The watchdog apologised yesterday, saying that although ‘much of the data’ was already in the public domain, it is possible ‘this data could be combined with other data in the public domain … to infer patterns of behaviour or to identify and profile individuals’.

Hackers infiltrated the commission’s systems in August 2021 but the security breach was not discovered until October 2022. The commission said the attack had ‘used a sophisticated infiltration method, intended to evade our checks’, which was why it had taken so long to detect.

Officials decided to delay informing the public while they removed the hackers and put additional security in place.

But Anthony Young, of cyber security firm Bridewell, said: ‘If the attackers had access to the commission’s email systems and controls for over 14 months, during this time they could have contacted other individuals, companies and government departments claiming to be part of the electoral commission. This could lead to further loss of data or finances.’

Shaun McNally, the chief executive of the Electoral Commission, apologised, saying: ‘The UK’s democratic process is significantly dispersed and key aspects of it remain based on paper documentation and counting.

‘This means it would be very hard to use a cyber-attack to influence the process. We know which systems were accessible to the hostile actors, but are not able to know conclusively what files may or may not have been accessed.’

Q&A: What data was accessed? Is my name and address online? Your questions answered after electoral roll cyber attack sees the details of more than 40 million people leaked

BY REBECCA CAMBER, CRIME AND SECURITY EDITOR FOR THE DAILY MAIL 

In what is the biggest data breach in UK history, more than 40 million voters may have had their data stolen as hackers had access to the Electoral Commission’s systems for 14 months without being detected.

‘Hostile actors’ could possibly have obtained the name and address of nearly every voter in the country.

The National Cyber Security Centre, which is probing the incident, has not ruled out the possibility of a foreign state attack. 

To answer any questions that you may have regarding the attack, read below:

More than 40 million voters may have had their data stolen in the biggest data breach in UK history (File image)

What data was accessed?

The hackers were able to see the names and addresses of anyone who was registered to vote in the UK between 2014 and 2022, as well as those registered as overseas voters, including those who opted to keep their details off the open register.

The details of anonymous voters – who are not identified for security or safety reasons – were not accessible.

Any details provided to the Electoral Commission via email or through forms on its website, such as the ‘contact us online’ form may also have been compromised.

READ MORE: The name of EVERY police officer in Northern Ireland is published in error

Investigators have been unable to ascertain whether the attackers read or copied personal data.

Who was behind it?

No groups or individuals have claimed responsibility for the attack, which the Electoral Commission has described as the work of ‘hostile actors’.

MI5 considers ‘hostile actors’ to include foreign state attacks, criminals, ‘hacktivist’ groups and terrorists.

Foreign states are generally equipped to conduct the most damaging cyber espionage and computer network attacks, according to MI5.

How serious is this breach?

The data contained in the electoral registers is limited and much of it is already in the public domain.

According to the risk assessment used by the Information Commissioner’s Office to assess the harm of data breaches, the personal data held on electoral registers, typically name and address, does not in itself present a high risk to individuals.

It is possible however that this data could be combined with other data in the public domain to infer patterns of behaviour or to identify and profile individuals.

Electoral Commission chief executive Shaun McNally, pictured visiting polling stations with his dogs on voting day on May 5, last year, in a photograph issued by the commission

Is my name and address online?

There is no indication that information accessed during this cyber-attack has been published online, but there remains the possibility that some information has found its way into the public domain.

There are a number of steps that can be taken to check whether your personal information is publicly available.

If you want to check if your email address has been compromised, you can search https://haveibeenpwned.com/ to see if it has been released through reported data breaches.

To see what information the Electoral Commission holds on you, you can submit a subject access request by filing in a form, or apply via email or phone.

If you think you have supplied financial data to the Electoral Commission via email, there are free online credit check tools by reputable companies like Experian, which include online identity theft protection and monitoring.

The National Cyber Security Centre also provides advice about securing your data.

Why are the public only finding out now?

The Electoral Commission was alerted to the attack by a suspicious pattern of log-in requests to its systems in October 2022.

It then emerged that the ‘hostile actors’ had first accessed servers in August 2021.

Officials delayed informing the public because security experts needed to remove the hackers and their access to our system.

The Commission had to assess the extent of the incident to understand who might be impacted and put additional security measures in place to prevent any future attacks.

Source: Read Full Article