Police Service of Northern Ireland (PSNI)

In 2023, the PSNI accidentally released the personal details of its entire 9,400-strong workforce in response to a Freedom of Information (FOI) request. The exposed data, published on a public website, was later obtained by dissident republican groups, posing severe risks to officers and staff, including potential targeting or harm. The breach has led to thousands of compensation claims, with six test cases now being heard at Belfast High Court to set a precedent for settlements. The PSNI has admitted liability but lacks funds to cover the estimated £119m compensation bill, after the UK government rejected a financial request. The incident has left employees vulnerable, with long-term security and reputational consequences for the organization. Legal proceedings are ongoing, with the court expected to assess damages over several weeks, as no universal out-of-court settlement was feasible.

Source: https://www.bbc.com/news/articles/c20e82e4wp8o

TPRM report: https://www.rankiteo.com/company/police-service-of-northern-ireland

"id": "pol0992309110325",
"linkid": "police-service-of-northern-ireland",
"type": "Breach",
"date": "6/2023",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"

{'affected_entities': [{'customers_affected': '9,400 (entire workforce)',
                        'industry': 'Public Safety/Government',
                        'location': 'Northern Ireland, UK',
                        'name': 'Police Service of Northern Ireland (PSNI)',
                        'size': '9,400 employees (workforce)',
                        'type': 'Law Enforcement Agency'}],
 'attack_vector': 'Human Error (Improper FOI Response Handling)',
 'data_breach': {'data_exfiltration': 'Yes (published online, obtained by '
                                      'dissident groups)',
                 'number_of_records_exposed': '9,400',
                 'personally_identifiable_information': 'Yes (exact PII types '
                                                        'unspecified)',
                 'sensitivity_of_data': 'High (personal details of law '
                                        'enforcement personnel)',
                 'type_of_data_compromised': 'Personnel Records'},
 'date_publicly_disclosed': '2023',
 'description': 'The Police Service of Northern Ireland (PSNI) accidentally '
                'released personal details of its entire 9,400-strong '
                'workforce in response to a Freedom of Information (FOI) '
                'request. The data was published on a website and later '
                'obtained by dissident republicans. Six test cases for '
                'compensation claims are being heard at Belfast High Court, '
                'with the PSNI accepting liability but lacking funds to cover '
                'the estimated £119m compensation bill requested from the UK '
                'government. The breach has led to legal action from thousands '
                'of affected officers and staff.',
 'impact': {'brand_reputation_impact': 'Severe (public trust erosion, '
                                       'high-profile legal case)',
            'data_compromised': 'Personal details of 9,400 PSNI workforce '
                                'members',
            'financial_loss': {'estimated_compensation_bill': '£119 million '
                                                              '(requested, '
                                                              'unapproved)',
                               'legal_costs': None},
            'identity_theft_risk': 'High (personal details exposed to '
                                   'malicious actors)',
            'legal_liabilities': 'Confirmed (PSNI accepted liability; test '
                                 'cases underway)',
            'operational_impact': 'Ongoing legal proceedings, reputational '
                                  'damage, potential operational risks due to '
                                  'exposed personnel data'},
 'investigation_status': 'Ongoing (legal proceedings in Belfast High Court)',
 'motivation': ['Opportunistic (Initial Disclosure)',
                'Targeted (Subsequent Exploitation by Dissidents)'],
 'post_incident_analysis': {'root_causes': 'Human error in FOI response '
                                           'process; lack of data redaction '
                                           'safeguards'},
 'references': [{'source': 'BBC News NI'}],
 'regulatory_compliance': {'legal_actions': 'Ongoing (Belfast High Court test '
                                            'cases for compensation)',
                           'regulations_violated': ['UK Data Protection Act '
                                                    '2018',
                                                    'UK GDPR (General Data '
                                                    'Protection Regulation)']},
 'response': {'communication_strategy': 'Public acknowledgment of liability; '
                                        'court-guided settlements',
              'containment_measures': 'Data removed from website (timeline '
                                      'unspecified)',
              'incident_response_plan_activated': 'Yes (legal liability '
                                                  'accepted)',
              'law_enforcement_notified': 'N/A (PSNI is the law enforcement '
                                          'agency)',
              'recovery_measures': 'Legal proceedings (compensation claims in '
                                   'Belfast High Court)'},
 'threat_actor': 'Dissident Republicans (Secondary Exploitation)',
 'title': 'PSNI Data Breach (2023) – Unintentional Disclosure of Workforce '
          'Details via FOI Request',
 'type': 'Data Breach (Unintentional Disclosure)',
 'vulnerability_exploited': 'Lack of Data Redaction/Validation in FOI Process'}