An Ombudsman data breach may have put “lives at risk” in Ireland

The Police Federation for Northern Ireland (PFNI) has called for a full inquiry after they were alerted to a data breach that may have put lives at risk.

The inquiry was prompted after a former investigating officer who worked at the Police Ombudsman for Northern Ireland (PONI) was arrested for allegedly stealing sensitive information. The information is believed to have security details and identification of service police officers.

Needless to say, this data in the wrong hands could put lives in danger…

Mark Lindsey, chairman of the PFNI, is extremely concerned over the implications of this incident and has called for a “full investigation”.

Unsurprisingly, his trust in the Ombudsman has disintegrated:

“There is more than enough justification for a high-level inquiry into the manner in which PONI treats some of the most sensitive information. It doesn’t get much more serious than this. This is an astounding and very worrying state of affairs. The sensitive documents in question identify police officers and potentially place lives at risk.”

Data protection obligations

Under many data protection principles worldwide, data holders have a legal obligation to look after the data they hold, and ensure the way they store data is secure from internal and external tampering, or misuse. This responsibility is held by all data holders, no matter if it’s an individual, a company, or a governmental entity.

This responsibility is heightened when the data in question is of a sensitive nature.

Lindsey recalls a previous full inquiry made into PONI in past years. While that may have cast doubt in the Ombudsman’s ability to store sensitive information, the need to repeat the inquiry most certainly confirms such doubts:

“If PONI cannot be trusted with sensitive information, then there’s a good case to be made to restrict the data.”

Former officer arrested

The PSNI’s Serious Crime Branch worked with Kent Police officers to carry out a search on a 69 year old former Police Ombudsman employee. On the 9^th April, he was arrested.

The former PONI employee is understood to have retired from the PONI and the documents he held do not concern open cases. However, the sensitive information can still identify PSNI officers.

In investigating how the man could steal the sensitive information from his former office, the PSNI’s Crime Operations Branch stated that they have “commenced a criminal investigation and are also carrying out an assessment of any impact which may be caused by the unauthorised release of sensitive material.”

Unknown if victims alerted

It’s not known if the police officers who are identified in the documents have been alerted of the data breach. While is it not known what the 69 year old intended to do with the information, it is possible that he could have used the information maliciously or sold it on. Due to the nature of police officers’ work, it’s not unusual for individuals to harbour hostile intentions towards officers. If sensitive information such as an officer’s home address was shared, the safety of the officer and their family could be at great risk.

Inquiry in to lack of protocols

The inquiry into PONI will be focused on the lack of security protocols that failed to prevent the former employee from appropriating the sensitive information. While data processors are allowed to use certain data for specific purposes, security measures should be put in place to prevent any misuse or misappropriation.

We would not be surprised if the Northern Irish Information Commissioners Office is requested to make their own investigations over PONI’s failings.