Norfolk and Suffolk Police data breach: Data of victims and witnesses included in FOI responses | UK News | Sky News
Norfolk and Suffolk Police data breach: Data of victims and witnesses included in FOI responses
The data was hidden from anyone opening the files, but should not have been included, according to the forces.
James Robinson
Sky News reporter @thejournojames
Tuesday 15 August 2023 19:33, UK
Listen to this article
0:00 / 3:54
1X
BeyondWords
Audio created using AI assistance
Norfolk and Suffolk Constabulary, Police Vehicle, Riot Van, joint forces, logo, badge, insignia, UK
Why you can trust Sky News
Two police forces have admitted breaching the data of 1,230 people - including victims and witnesses - as officers told Sky News they have an "open mind" about whether it has been inappropriately accessed.
Norfolk and Suffolk constabularies said a "technical issue" led to the data being included within files produced in response to Freedom of Information (FOI) requests about crime statistics.
It included information related to a range of offences, including domestic incidents, sexual offences, assaults, thefts and hate crimes.
Names, addresses and date of birth are among the data affected.
In a joint statement, the constabularies said the information was hidden from anyone opening the files.
However, they admitted it should not have been included in the responses, which were issued between April 2021 and March 2022.
The FOI responses were also published on police websites for "transparency purposes".
Assistant Chief Constable of Suffolk Police, Eamonn Bridger, told Sky News they so far had no evidence the data had been inappropriately accessed but are keeping an "open mind".
He said the forces had "meticulous records of who has been sent the information... [but] it's too early to say exactly what's happened to all of it".
He added it "would take a degree of specialist knowledge" to recognise the information was included in the FOI responses.
The forces have said they are working to notify everyone and admitted "some very vulnerable individuals" are affected.
This will be done via a letter, over the phone, or, in some cases, face-to-face, depending on what data is affected and the person's safeguarding needs.
Officers expect this process to be completed by the end of September.
Assistant Chief Constable Bridger said a member of police staff discovered the data breach and the forces "took action as soon as we reasonably could".
A rapid review was also launched into how it occurred.
"If members of the public are not contacted by the constabularies, they do not need to take any action," the forces said in a statement.
Cybersecurity expert Muhammad Yahya Patel, lead security engineer at Check Point, told Sky News it was too early to know how protected the data really is.
"When they talk about the data being 'hidden', it could be the files are encrypted, documents are password protected, or something as simple as a hidden Excel spreadsheet," he said.
Read more:
NI police data breach: Why is the leak so serious?
BA, BBC and Boots hit by cyber security breach
"It's not a straightforward exercise to access protected data. But the language used means we can't be sure yet specifically how protected it is."
Mr Patel said recent incidents highlight the need for greater education for anyone handling sensitive data at work.
He said that given Norfolk and Suffolk's responses were issued some time ago, it could be a sign police forces have been asked to review their processes and more historical breaches could come to light as a result.
It comes just days after a separate data breach involving the Police Service of Northern Ireland (PSNI).
The force apologised for a self-inflicted breach after it inadvertently published the surname, initials, the rank or grade, the work location and departments of all PSNI staff in response to an FOI request.
It also revealed members of the organised crime unit, intelligence officers stationed at ports and airports, officers in the surveillance unit and almost 40 PSNI staff based at MI5's headquarters in Holywood, the Belfast Telegraph reported.
The data was potentially visible to the public for between two-and-a-half to three hours.
The data was hidden from anyone opening the files, but should not have been included, according to the forces.
James Robinson
Sky News reporter @thejournojames
Tuesday 15 August 2023 19:33, UK
Listen to this article
0:00 / 3:54
1X
BeyondWords
Audio created using AI assistance
Norfolk and Suffolk Constabulary, Police Vehicle, Riot Van, joint forces, logo, badge, insignia, UK
Why you can trust Sky News
Two police forces have admitted breaching the data of 1,230 people - including victims and witnesses - as officers told Sky News they have an "open mind" about whether it has been inappropriately accessed.
Norfolk and Suffolk constabularies said a "technical issue" led to the data being included within files produced in response to Freedom of Information (FOI) requests about crime statistics.
It included information related to a range of offences, including domestic incidents, sexual offences, assaults, thefts and hate crimes.
Names, addresses and date of birth are among the data affected.
In a joint statement, the constabularies said the information was hidden from anyone opening the files.
However, they admitted it should not have been included in the responses, which were issued between April 2021 and March 2022.
The FOI responses were also published on police websites for "transparency purposes".
Assistant Chief Constable of Suffolk Police, Eamonn Bridger, told Sky News they so far had no evidence the data had been inappropriately accessed but are keeping an "open mind".
He said the forces had "meticulous records of who has been sent the information... [but] it's too early to say exactly what's happened to all of it".
He added it "would take a degree of specialist knowledge" to recognise the information was included in the FOI responses.
The forces have said they are working to notify everyone and admitted "some very vulnerable individuals" are affected.
This will be done via a letter, over the phone, or, in some cases, face-to-face, depending on what data is affected and the person's safeguarding needs.
Officers expect this process to be completed by the end of September.
Assistant Chief Constable Bridger said a member of police staff discovered the data breach and the forces "took action as soon as we reasonably could".
A rapid review was also launched into how it occurred.
"If members of the public are not contacted by the constabularies, they do not need to take any action," the forces said in a statement.
Cybersecurity expert Muhammad Yahya Patel, lead security engineer at Check Point, told Sky News it was too early to know how protected the data really is.
"When they talk about the data being 'hidden', it could be the files are encrypted, documents are password protected, or something as simple as a hidden Excel spreadsheet," he said.
Read more:
NI police data breach: Why is the leak so serious?
BA, BBC and Boots hit by cyber security breach
"It's not a straightforward exercise to access protected data. But the language used means we can't be sure yet specifically how protected it is."
Mr Patel said recent incidents highlight the need for greater education for anyone handling sensitive data at work.
He said that given Norfolk and Suffolk's responses were issued some time ago, it could be a sign police forces have been asked to review their processes and more historical breaches could come to light as a result.
It comes just days after a separate data breach involving the Police Service of Northern Ireland (PSNI).
The force apologised for a self-inflicted breach after it inadvertently published the surname, initials, the rank or grade, the work location and departments of all PSNI staff in response to an FOI request.
It also revealed members of the organised crime unit, intelligence officers stationed at ports and airports, officers in the surveillance unit and almost 40 PSNI staff based at MI5's headquarters in Holywood, the Belfast Telegraph reported.
The data was potentially visible to the public for between two-and-a-half to three hours.