Northern Ireland

Cyber security experts react to PSNI major data breach

Police Service of Northern Ireland Assistant Chief Constable Chris Todd speaks to members of the media about a data breach involving officers and civilian staff (Rebecca Black/PA)
Police Service of Northern Ireland Assistant Chief Constable Chris Todd speaks to members of the media about a data breach involving officers and civilian staff (Rebecca Black/PA) Police Service of Northern Ireland Assistant Chief Constable Chris Todd speaks to members of the media about a data breach involving officers and civilian staff (Rebecca Black/PA)

The security service might be able to find out who accessed the personal and employment details of thousands of Police Service of Northern Ireland (PSNI) officers and civilian staff after they were posted online in a major data breach, cyber security experts said.

PSNI apologised on Tuesday after it emerged that some 10,000 officers and staff were affected by the breach, which happened when it responded to a Freedom of Information request seeking the number of officers and staff at all ranks and grades across the organisation.

In the response published online, a table was embedded which contained the rank and grade data, but also included detailed information that attached the surname, initial, location and departments for all PSNI employees.

Read more: 

  • PSNI: An explainer
  • Analysis: PSNI data breach could be treasure trove of information
  • What to know about PSNI's ‘major data breach'
PSNI data breach
PSNI data breach Police Service of Northern Ireland (PSNI) Assistant Chief Constable Chris Todd speaks to media about a data breach involving officers and civilian staff, at PSNI headquarters, in Belfast (Rebecca Black/PA)

The data was potentially visible to the public for between two-and-a-half to three hours, due to what the PSNI called a human error.

Amid fears the information may have fallen into the wrong hands, cyber security experts have said tracking IP addresses, a unique address identifying a device on the internet or a local network, could help the authorities to find out who viewed the data while it was online.

 

Mark Ryan, a professor in computer security at the University of Birmingham, said: “Typically, websites do have logs of what accesses are made so the website maintainer should be able to look at how many downloads there were, when they were and the IP address.

“There could be interesting information there. The log would contain the IP address. It would contain the date and the IP address of the browser.”

He said the IP address may reveals details such as the user’s geographic location.

He added: “Sometimes it is not very accurate but it’s at least a start and you can find out who maintains and provides that IP address – is it an ISP (internet service provider) that serves domestic houses like Virgin and Talk Talk or a company and organisation that has its own IP addresses.

“In theory, you could even get back to an individual. In some cases at least, they could find out the person.

“One thing that makes it a bit complicated is there is a lot of IP address sharing going on, for example is someone downloaded it from an internet café.”

Holly Williams, managing director of cyber security firm Akimbo Core, said it might be possible to trace who accessed the website, but she warned that if the data was downloaded and shared elsewhere this would be “very difficult to track”.

On whether the authorities could track who viewed the FOI response while it was online, she said: “Yes, it could be possible. It wouldn’t necessarily take GCHQ but it is possible to read through logs and see who has accessed a website.

“They could certainly look at the logs of the website to see who requested that, that would ordinarily, generally, disclose the IP address.”

But she said that “if those people then shared that file the secondary share wouldn’t be in those logs”.

Jake Moore, a global cybersecurity adviser for the ESET software company, added: “What you probably will find is that anyone who did access that data, then those original and initial users would have been legitimate, innocent parties looking for the information that they were requesting in Freedom of Information.

“For illicit actors looking to access that incredibly sensitive information, it would be highly unlikely they would know it would appear in that very short time frame.

“However, all it takes is someone very savvy to realise that shouldn’t have happened and release it on a platform such as Twitter. If that then got into dark web forums then yes it can be exploited, it would be exploited tenfold.”

On tracking viewers, he said: “They should have a number of IP addresses that have been to that page but to know exactly who they may be is difficult.”

David Stupples, a professor of electronic and radio engineering at City, University of London, said that “the breach seems to emanate from very lax security procedures”.

He added: “Any security procedures should contain an audit function that will record who accessed the material and when.

“Online audit checks allow the authorities to trace the routing of data and should be able to limit distribution, so long as recipients can be trusted.”