What lessons can we learn from the PSNI data leak?

On August 8th, The Police Service of Northern Ireland (PSNI) admitted that the organisation experienced a serious data breach “as a result of our own error”.

The breach occurred in response to a Freedom of Information request. According to the official statement, the personal protected data contained “the surnames and initials of current employees alongside the location and department within which they work”.

The police are investigating the circumstances surrounding publishing personal data on the What We Know Website. The information has now been removed. The PSNI stated that anyone who accessed the information is responsible for what they do with it next, and a man was arrested (August 16^th) on suspicion of collection of information likely to be of use to terrorists.

This error has endangered thousands of PSNI personnel and their families, putting them at considerable risk.

Where did the PSNI go wrong and what lesson can we take away from the incident?

We asked Chief Information Security Officer, Paul Delahunty for his thoughts.

“The first question that I have is: how could it have happened without there being checks and balances in place to prevent it? The PSNI leak seems to be a one-point-of-failure situation. 

 Someone in a clerical position was allowed to access sensitive PII (Personally Identifiable Information) and presumably without malice or without thinking released this information to a third party.  

 It highlights several failures on the part of the PSNI leadership who were derelict in their duty of care to their employees. Access Control does not seem to have been properly enforced. Somebody had access to information they shouldn’t have had access to. They didn’t seem to have any measures in place to raise a red flag when such PII is accessed. It would appear that governance failed and whatever measures were in place to protect such sensitive data were insufficient. It’s a total failure to protect highly sensitive information.”

5 lessons you can learn from the PSNI data leak?

Ensure you have defined access control to PII

Access control is an approach to security that grants certain access, on a need-to-know basis, to information. When set up correctly, there is restricted physical and virtual access to information, buildings or rooms to unauthorised people. When executed correctly, an administration staff member would not have Carte Blanche access to personal information and be in a position to pass it on. Furthermore, checks should be in place to safeguard PII under a well-designed access control.

Invest in training

Cyber awareness needs to be prioritised and communicated to employees almost by osmosis. Dozens of courses are available to help with this. Following trusted recourses online and even simple things around the office, such as posters, can help increase cybersecurity awareness and contribute to a culture of awareness within an organisation.

Password Protection

Beyond access control, it’s best practice to protect critical data with robust password procedures. Passwords should be ideally protected with a combination of principles with Multi-Factor Authentication (MFA), using physical security keys and complex passwords all deployed to ensure that a crucial barrier to securing PII is incredibly difficult to breach by any one avenue.

Governance

Ultimately, an organisation’s leaders, the senior management team, are responsible for the processes and systems used to manage and control their operations. Effective cyber governance needs to be an ongoing process, led from the top down, to understand how resilient your business is, where the weak points are and how to address the vulnerabilities.

Risk Assessment

A security risk assessment identifies and evaluates the security controls in place in your organisation. It analyses your overall cybersecurity risk profile to identify where weaknesses lie. Risk assessments include an evaluation of your data protection, access control and staff capability. A risk assessment could have saved the PSNI from this embarrassing public failure.

If the recent PSNI media stories have made you question your cyber security protocols, our team of information and security experts can help you identify the risks in your business.