Police Scotland reported 10 data breaches to the ICO, exposing sensitive personal and biometric information of both members of the public and police staff. The compromised data included names, addresses, dates of birth, contact details, photographs, fingerprints, health records, and vehicle registrations. Several breaches also involved failures to comply with GDPR requirements, including fair, transparent, and secure data processing. The incidents were severe enough to warrant regulatory reporting, with 2024 marked as the worst year on record for the force, followed by two additional breaches in early 2025. The leaks risked identity theft, fraud, reputational damage, and financial penalties under GDPR, while also eroding public trust in the institution’s ability to safeguard highly sensitive data. Remedial measures were implemented, but the scale of exposure particularly involving biometric and health data highlights systemic vulnerabilities in handling high-risk personal information.
TPRM report: https://www.rankiteo.com/company/police-scotland
"id": "pol2232822102325",
"linkid": "police-scotland",
"type": "Breach",
"date": "6/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': ['members of the public',
'police staff'],
'industry': 'public sector',
'location': 'Scotland, UK',
'name': 'Police Scotland',
'type': 'law enforcement agency'}],
'data_breach': {'personally_identifiable_information': ['names',
'addresses',
'dates of birth',
'contact details',
'photographs',
'fingerprints'],
'sensitivity_of_data': 'high (includes biometric and health '
'data)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'biometric data',
'health records',
'vehicle registration details']},
'description': 'A Freedom of Information (FOI) request revealed that Police '
'Scotland reported 10 breaches to the Information '
'Commissioner’s Office (ICO) over a specified period, '
'affecting both public members and police staff. The breaches '
'involved sensitive personal data, including names, addresses, '
'dates of birth, contact details, photographs, fingerprints, '
'health data, and vehicle registration details. Several '
'incidents also failed to meet GDPR requirements for fair, '
'transparent, and secure data processing. 2024 was noted as '
'the worst year on record for such breaches, with two '
'additional incidents already recorded in 2025. Remedial '
'measures included staff training, guidance, and reviews of '
'data handling practices.',
'impact': {'brand_reputation_impact': 'long-term reputational harm',
'data_compromised': ['names',
'addresses',
'dates of birth',
'contact details',
'photographs',
'fingerprints',
'health data',
'vehicle registration details'],
'identity_theft_risk': 'high (due to exposure of PII and biometric '
'data)',
'legal_liabilities': ['potential GDPR financial penalties']},
'lessons_learned': 'Public sector organizations handling vast amounts of '
'sensitive data must prioritize vigilance, staff training, '
'access controls, encryption, audits, and incident '
'response planning to mitigate breach risks and '
'reputational/financial consequences.',
'post_incident_analysis': {'corrective_actions': ['staff training and '
'guidance',
'reviews of data storage '
'and recording practices',
'implementation of access '
'controls and encryption'],
'root_causes': ['improper data handling practices',
'inadequate staff training',
'lack of access controls',
'failure to meet GDPR '
'requirements']},
'recommendations': ['Regular staff training on secure data handling and risk '
'recognition.',
'Implement strong access controls with periodic '
'permission reviews.',
'Use encryption for data at rest and in transit, and '
'minimize retention of unnecessary personal data.',
'Conduct routine security audits, penetration tests, and '
'GDPR compliance checks.',
'Develop and maintain a clear breach response procedure '
'for rapid action and regulatory notification.'],
'references': [{'source': 'Freedom of Information (FOI) request by LSS (data '
'protection specialists)'},
{'source': 'Statement by Gary Noble, LSS'}],
'regulatory_compliance': {'regulations_violated': ['GDPR (General Data '
'Protection Regulation)'],
'regulatory_notifications': ['reported to the '
'Information '
'Commissioner’s Office '
'(ICO)']},
'response': {'remediation_measures': ['staff advice and guidance',
'refresher training',
'reviews of recording, storage, and '
'departmental practices']},
'title': 'Multiple Data Breaches at Police Scotland Reported to ICO',
'type': ['data breach', 'GDPR non-compliance'],
'vulnerability_exploited': ['improper data handling',
'lack of access controls',
'inadequate staff training']}