In August 2023, the PSNI suffered a catastrophic data breach due to gross negligence and systemic failures, exposing the names, ranks, and roles of nearly 9,500 officers and civilian staff. The breach occurred when an Excel file containing the entire workforce’s personal details was accidentally published in response to a Freedom of Information (FoI) request. The leaked data was downloaded from PSNI’s HR system and uploaded to a public website, where dissident republican terrorists accessed it within days.At least four individuals failed to detect the error during internal review, exacerbating the breach’s severity. The incident coincided with an elevated terrorist threat level, raising fears of targeted attacks against officers—many of whom had kept their roles confidential for safety. The breach led to legal action from 8,500 affected individuals, with claims for negligence, data protection violations, and privacy breaches. The PSNI, already fined £750,000 by the ICO, lacks funds to settle the estimated £120 million in damages, as the UK Treasury denied financial aid. The leaked spreadsheet was later physically posted in west Belfast, compounding risks of misuse. The breach has eroded trust, endangered personnel, and left the organization financially and operationally crippled.
TPRM report: https://www.rankiteo.com/company/police-service-of-northern-ireland
"id": "pol5393053110325",
"linkid": "police-service-of-northern-ireland",
"type": "Breach",
"date": "8/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '8,500+ officers and staff '
'seeking damages',
'industry': 'Public Sector / Government',
'location': 'Northern Ireland, UK',
'name': 'Police Service of Northern Ireland (PSNI)',
'size': '~9,500 employees (workforce data exposed)',
'type': 'Law Enforcement Agency'}],
'attack_vector': 'Human Error (Inadvertent Publication via FoI Response)',
'customer_advisories': 'PSNI notified affected individuals after media '
'reports surfaced.',
'data_breach': {'data_encryption': 'No (Data Published in Unencrypted Excel '
'File)',
'data_exfiltration': 'Yes (Downloaded via FoI Process, '
'Uploaded to Website, Accessed by '
'Terrorists)',
'file_types_exposed': ['Excel Spreadsheet'],
'number_of_records_exposed': '9,483',
'personally_identifiable_information': ['Full Names',
'Job Titles/Ranks',
'Roles'],
'sensitivity_of_data': 'High (Includes Names, Ranks, Roles of '
'Police Personnel)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Employment Records']},
'date_detected': '2023-08',
'date_publicly_disclosed': '2023-08',
'description': 'A major data breach within the Police Service of Northern '
'Ireland (PSNI) occurred in August 2023 due to gross '
'negligence and systemic failures. Names, ranks, and roles of '
'nearly 9,500 PSNI officers and staff were inadvertently '
'published in response to a Freedom of Information (FoI) '
'request. The details were downloaded as an Excel file from '
'the PSNI’s human resources management system and uploaded '
'onto a website. Dissident republican terrorists accessed the '
'information within days of the leak. Up to 8,500 affected '
'individuals are seeking damages, with claims for negligence '
'and breaches of data protection and privacy. The PSNI has '
'accepted liability but lacks funding to settle the claims, '
'with the UK Treasury rejecting a request for financial '
'assistance to cover the estimated £120m bill. The PSNI was '
'fined £750,000 by the Information Commissioner’s Office (ICO) '
'for the breach.',
'impact': {'brand_reputation_impact': 'Severe (Loss of Trust, Public '
'Scrutiny, Legal Fallout)',
'customer_complaints': '8,500+ individuals seeking damages (group '
'actions + 6 test cases)',
'data_compromised': {'records_exposed': '9,483 (nearly 9,500)',
'sensitivity': 'High (Personal Identifiable '
'Information of Police '
'Officers and Staff)',
'types': ['Names',
'Ranks',
'Roles',
'Personal Details']},
'financial_loss': {'estimated_total_cost': '£120 million '
'(unfunded)',
'fines_imposed': '£750,000 (ICO)',
'potential_private_sector_fine': '>£5 million '
'(hypothetical)'},
'identity_theft_risk': 'High (Personal Details of Police Officers '
'Exposed)',
'legal_liabilities': ['Negligence Claims',
'Data Protection Breaches',
'Privacy Violations'],
'operational_impact': 'Severe (Ongoing Litigation, Reputation '
'Damage, Security Risks to Officers)',
'systems_affected': ['PSNI Human Resources Management System',
'Website Hosting FoI Response']},
'investigation_status': 'Ongoing (Legal Proceedings in High Court, Test Cases '
'Underway)',
'lessons_learned': 'Systemic failures in data review processes; need for '
'stricter FoI response protocols, internal audits, and '
'staff training to prevent inadvertent disclosures. '
'Highlighted risks of exposing law enforcement personnel '
'data in high-threat environments.',
'motivation': ['Terrorism', 'Opportunistic Exploitation'],
'post_incident_analysis': {'corrective_actions': ['Legal Acceptance of '
'Liability',
'ICO Fine Payment',
'Pursuit of Treasury '
'Funding for Compensation',
'Court-Managed Litigation '
'Strategy'],
'root_causes': ['Gross Negligence (Four '
'Individuals Failed to Spot Data '
'in FoI Response)',
'Lack of Data Validation Checks',
'Systemic Process Failures',
'Inadequate Redaction Protocols']},
'recommendations': ['Implement Multi-Layer Review for FoI Responses',
'Enhance Data Redaction Protocols',
'Conduct Regular Security Audits for HR Systems',
'Establish Emergency Funding Mechanisms for Breach '
'Fallout',
'Improve Crisis Communication Timeliness'],
'references': [{'date_accessed': '2024-XX-XX',
'source': 'High Court of Northern Ireland Proceedings'},
{'date_accessed': '2023-XX-XX',
'source': 'Information Commissioner’s Office (ICO) Fine '
'Announcement'}],
'regulatory_compliance': {'fines_imposed': '£750,000 (ICO)',
'legal_actions': ['Group Litigation (8,500+ '
'Plaintiffs)',
'6 Test Cases Identified',
'Negligence and Privacy Claims'],
'regulations_violated': ['UK GDPR',
'Data Protection Act 2018'],
'regulatory_notifications': ['Information '
'Commissioner’s Office '
'(ICO)']},
'response': {'communication_strategy': ['Delayed Notification (Media Reported '
'Before PSNI Alert)',
'Court Proceedings for Transparency'],
'containment_measures': ['Removal of Data from Website',
'Public Disclosure of Breach'],
'incident_response_plan_activated': 'Yes (Liability Accepted, '
'Legal Proceedings Underway)',
'law_enforcement_notified': 'Yes (MI5 Aware of Severe Terrorist '
'Threat Context)',
'recovery_measures': ['Ongoing Litigation Management',
'Anonymity Granted to Plaintiffs']},
'stakeholder_advisories': 'Plaintiffs granted anonymity; evidence screening '
'issues delayed proceedings.',
'threat_actor': ['Dissident Republican Terrorists',
'Unknown Third Parties (Spreadsheet Possession '
'Unquantified)'],
'title': 'Police Service of Northern Ireland (PSNI) Data Breach',
'type': ['Data Breach', 'Unintentional Disclosure'],
'vulnerability_exploited': 'Lack of Data Review Process / Gross Negligence'}