Northern Ireland police leak: tech people, how can this happen?

[PostOpOp]

This is a half-AIBU because if it's genuine error then whoever rid it must be seriously feeling bad and I'm not wanting to make that worse.

But AIBU to think that it should be impossible for personal information to be able to be posted online? I cannot understand how it could happen, even by mistake. I'm not a tech professional and have minor experience with tech, but do have some. I also have some experience of keeping information confidential. And I cannot see how it can be possible in a normal system for this to happen. In the PSNI though, that's multiplied exponentially - just how?

I mean I'd have thought that the tech dept. potentially has access to everything, but not everyone in the dept has access to everything. And can't certain database files be made virtually impossible to be moved/uploaded/exported? I'm really not understanding how this could just happen at a click of a button, rather than lots of hoops being gone through first.

Like I said, if it was a genuine mistake then someone is feeling horrific (although they likely were let down by a weak system) and I'm not wanting to pile on them. But technically, AIBU to think it is very odd that this was even possible?

There was a similar(ish) thing not too long ago with the Irish health service, i reckon it's just par for the course with technology. Nothing is perfect or immune from this kind of thing (although it seems the NI thing has exposed v poor practices wrt data protection).

I work in a very well known tech company, and security/hacking/phishing risks has been at the forefront of employee training, focus and attention for many years. Based on the courses I attend (which were mandatory to attend and get 80%+ score) the main cause of failure are simple human error. The second cause "zero-day" issues, meaning real security flaws in the software, but typically these are fixed with updates. Based on the courses I've attended, it seems most of the successful zero-day attacks are as a result the original system not being properly updated.

I have no idea of the root cause in this situation, but assuming it's "typical", then mostly likely human error and/or outdated system/process. Two of my cousins are in PSNI, so this is obviously a huge concern. Having said that, when I was back in my home area, I'd have known a few of the local police, where they lived and so on.

My understanding is that it was human error, not hacking. There was an FOI request for details of staff on the force- number at each ranking- and they had intended to publish only that. But they accidentally published the list of all staff, which had presumably been pulled to get the data for the FOI, at the same time.

However it happened they don’t appear to have good systems for double checking what information is published before it is. Really shocking and awful for the poor officers involved.

Even on locked down networks its invariably not impossible for human error to cause something like this, there are only a certain amount of safeguards and procedures before having to say we won't hold this info online anywhere. Thankfully it is rare but yes it's absolutely awful :(

It wasn’t a hack. It was using fucking excel to store personal sensitive data because the public sector here refused to entertain the idea of modern safe tech. This aligned with a systemic failure whereby fois don’t appear to go through a rigorous process of checking before some admin posts a reply. All totally preventable. And the cavalier attitude towards staff and their families’ safety is a disgrace.

They were responding to a FOI request. I wondered was it something as simple as posting a spreadsheet with hidden columns and not realising they could be unhidden. So for example trying to post a list of ranks so the requester could calculate the number of staff at each rank but not deleting the information like names. It actually could have been much worse if addresses or phone numbers were also there.

I also wonder was it a temp staff member or someone from outside NI. Someone who (in the latter case) didn't understand how sensitive this kind of information is in NI. It was a running joke in NI that police personnel would always say they were 'in the civil service'.

We're they hacked.
The HSE was hacked, and probably paid the ransom :-(

It was human error. They were asked for the number of officers and staff at each rank. To do this you obviously need access to the list of people and their ranks. From what I understand, this was done in Excel, making a pivot table to count the numbers at each rank. All fine so far. Unfortunately it seems that instead of just publishing the pivot table, the spreadsheet behind it also went up. It was human error. There should have been a point where someone else checked what was being published, that's where the system failed.

AFAIK it wasn't even hidden columns, it was a sheet with the details. It was the ultimate 'rookie error'. The type you can't afford to make when it comes to police details, especially not in NI. Ffs! There's clearly not enough checks and balances going on.

@PostOpOp
The data was correctly accessed and used to produce results for the FOI question that had been raised.

Human error was the cause of publishing everything which included the attachment of original source data.

In a different government department I’m involved in producing results in response to Freedom of Information and Parliamentary Questions.
I often show my workings, but it goes through those whose roles are dedicated to responding - they provide the results which subsequently get published.

I would provide a link to workings rather than an attachment, which is one step further away from accidentally publishing the source data but doesn’t guarantee that human error wouldn’t open the link and publish the source

There have also been cases where I have had concerns about publishing the results, but I would generally produce the answer whilst expressing my concerns - which has resulted in responses being refused or partially provided with redaction

……………..

It doesn’t ease the risk involved with the PSNI breach but it’s an understanding of how a failure can occur

I assumed it was human error and a spreadsheet was accidentally put on line.

However having worked in admin for ever while I might be able to pull the data off I have never had access to publish anything on the website. They would always be two separate roles. And thinking about it more, any FOI requests would also go though our data protection officer. So maybe it was malicious or a perfect storm of cock ups.

If I’ve understood correctly, the PSNI administrator/data person didn’t publish the document or put it online, they sent the information out to someone in response to an FOI request. Presumably that person then put it up on the website. I wonder who they are, and if they knew what they were doing.

No. It was not the use of Excel to store personal data rather than ‘modern safe technology’

Actually the opposite - personal data stored on a system which is sufficiently modern enough to be capable of extracting data, and nothing to show it was unsafely stored as the data was extracted for a valid purpose therefore appropriate staff would have used appropriate access permissions to extract the data.

Excel file format is also used by many other systems as a common format for extraction and transfer

The breach was human

I really hope this isn't used as a convenient excuse to exempt more branches of public service from FOI requests on 'security grounds'. That would be a worry.

I doubt it, although hopefully it leads to tightening up on checks before publications.

If you haven't already, read the thread about "My husband hasn't paid the rent".

There are dozens and dozens of posts on there of people refusing to believe that human error could be the cause.

As a data protection specialist.... Yeah, no. The worst thing you can do is assume that you aren't susceptible to errors. And it's the thing I have to shape my processes around most sensitively, so that they admit and come to me with errors.

This is just an error someone noticed,one that happens to have big consequences.

See also driving threads for the people with perfect driving. Without doubt, literally all of them will have cause someone to shit themselves and they won't even know it. Because humans are error prone.

I believe they responded to an FOI request which had been originally submitted via a website called What Do They Know which allows people to request info pretty much anonymously (in that they don't have to use their real name) replying to the email address generated by the site automatically meant it was published on the What Do They Know website. It should have been checked before as personal data is a really obvious exemption to FOIs. All FOIs are considered to be published to the world so there should've been checks before sending but it's so obvious not to publish names not sure how it was accidentally sent

To be fair, I would hazard a guess that a decent system would allow you to filter and pivot the data prior to extraction so that no personal data was required to leave the secure system.

But then I just left a company working with prisoner and criminal record data who were determined to switch from a system that could do that to a system that couldn't.

That data should have been stored on a system that didn’t allow it to be extracted to excel. And given the second breach reported where spreadsheets, paper and a police laptop were stolen from a car I don’t accept human error as a valid reason. It’s a systemic failure to understand information governance. And it puts actual lives at risk.

I doubt it, although hopefully it leads to tightening up on checks before publications.

As @Pandaflop says above, it’s doubtful that this could justify FOI/PQ refusal
The ICO would not accept “We cannot answer that non sensitive question due to the risk of incompetence”

It flags up for an internal investigation
of a simple human error of not removing an attachment, insufficient training of the individual or a full process problem

Whatever the reason the end result has been life changing for many families and and their futures filled with fear and worry. Unless you are or have been a Police Officer in NI Or the family member of one it will be hard to understand the consequences of this breach. Someone needs to be held accountable and systems changes so this can never happen again. The ‘bad’ times in NI are far from over and no matter how peaceful it looks. On the surface, tensions are still bubbling beneath the surface and Officers still are and always will be targets.

YY to this

But a systematic failure to understand information governance is a very human thing indeed.

Funnily enough, I have just started in a new role where I am prioritising a backlog of what I consider high-level risks. But they were audited a little while ago, and these risks were registered as low. Which is astonishing, as soon after I presented my recommendations, one of the risks was almost realized. Definitely a near miss incident. And when I proved, there were patterns of similar issues through the list I identified. Very poor of the auditors to low-ball such a vital issue.

But at the end of the day, nobody but me at the company applied to do a job in Information Governance.

I mean, I can't complain about that. These news stories probably just increased the value of my work by about 10%, and I have something to point at in training again.

But the most important thing is that humans accept that they're bad at these things - and I have to accept it too.

As noted, this is nothing to do with system-level security, and everything to do with human stupidity - publishing a document which had no reason to even exist (if access to that data was required, it should have been through the system that originally held it).

Spreadsheets are the bane of any sysadmin's existence, because it's impossible to restrict access in any meaningful way once the file's on someones local computer.

To be fair, it's perfectly possible to restrict system-level access so that individual records can't be seen, only summary information. That's a system issue, either in the system chosen or in the application of security settings (which I guess is human controlled too, but still...).

I've built such access profiles myself. They're usually especially useful when the Data Protection and legal staff aren't techies.

Which is why I always pitch myself in interviews as a data protection specialist who actually knows the bare fucking minimum level about technology.