The Norfolk and Suffolk police forces in the UK have acknowledged a data breach involving personal information of victims, witnesses [1] [2] [3] [5] [6] [7] [8], and suspects of various crimes [5]. This breach occurred due to a technical issue in responding to freedom of information requests [5], resulting in the inclusion of raw crime report data in the files.
Description
The compromised data included personal identifiable information such as names, addresses [2], and dates of birth [2], as well as descriptions of offenses including domestic incidents, sexual offenses [5], assaults [5], theft [5], and hate crimes [5]. Although the information was not visible, it was inappropriate to include it in the responses. The breach affected 18 replies sent between April 2021 and March 2022 [2] [5]. Prompt measures were taken to remove the data from public access, and the affected individuals will be notified through letters [2], phone calls [2], or direct interactions [2]. The Information Commissioner’s Office (ICO) has initiated an investigation into the breach [2], which may result in fines [2]. This incident highlights the importance of implementing robust measures to protect sensitive personal information [2].
The police forces have completed an analysis and are in the process of notifying the 1,230 individuals affected [5], which is expected to be completed by the end of September [5]. The affected individuals will receive detailed information about the impact on their personal data and will be provided with support contacts [5]. There is no evidence that the leaked data has been accessed by third parties. The forces have made efforts to determine if anyone else had access to the data but found no evidence so far [4]. This breach is not the first for Suffolk Police [3], as they have previously suffered from data handling issues [3]. The breach involved the accidental inclusion of raw data in response to freedom of information requests [4], exposing personally identifiable information (PII) of approximately 1,230 individuals involved in various crimes [4]. The Information Commissioner’s Office (ICO) has been informed of the incident and is investigating [3]. While not as large-scale as a previous incident in the Police Service of Northern Ireland (PSNI) [4], this breach raises concerns about the handling of sensitive data [4]. The PSNI incident involved the accidental leakage of personal data of approximately 10,000 employees [4], posing a risk to officers from dissident groups [4]. The incident highlights the need for public authorities to take great care in responding to freedom of information requests and ensure sufficient regulatory oversight [4].
Conclusion
This data breach has had significant impacts on the affected individuals, as their personal information was exposed. However, prompt measures were taken to remove the data from public access and notify the affected individuals. It is reassuring that there is no evidence of third-party access to the leaked data. The incident has raised concerns about the handling of sensitive data by the police forces, particularly in light of previous data handling issues. The ongoing investigation by the Information Commissioner’s Office will shed further light on the breach and may result in fines. This incident serves as a reminder of the importance of implementing robust measures to protect sensitive personal information and the need for public authorities to exercise caution and ensure regulatory oversight when responding to freedom of information requests. The constabularies have set up a dedicated specialist team to handle any queries related to the incident [6], and the ICO is currently investigating this breach [6], as well as a separate breach reported in November 2022 [6].
References
[1] https://www.infosecurity-magazine.com/news/uk-police-breach-exposes-victim/
[2] https://www.computing.co.uk/news/4122277/norfolk-suffolk-police-breach-personal-230-people-exposed
[3] https://techmonitor.ai/technology/cybersecurity/norfolk-and-suffolk-police-data-breach
[4] https://www.computerweekly.com/news/366548452/Norfolk-and-Suffolk-police-hit-by-FoI-linked-data-breach
[5] https://www.ukauthority.com/articles/norfolk-and-suffolk-police-report-data-breach/
[6] https://www.policeprofessional.com/news/norfolk-and-suffolk-constabularies-identify-breach-of-personal-data-in-foi-response/
[7] https://www.standard.co.uk/news/crime/norfolk-suffolk-police-data-breach-crime-victims-b1100741.html
[8] https://www.independent.co.uk/news/uk/crime/norfolk-suffolk-police-data-breach-b2393265.html
