PSNI Excel Data Breach – What are the lessons learned?

Access management controls and security awareness training could have helped prevent the Northern Ireland police data breach.

Earlier this month, the Police Service of Northern Ireland (PSNI) confirmed a serious data leak  stemming from  a Freedom of Information request, writes Cyber Security Technician Thomas Boughton.

The request led to an excel spreadsheet containing surnames and initials, rank, location, and department of all current PSNI officers and staff, being made public.

The unencrypted excel document, which was sent out by a junior member of staff in error, contained the sensitive information in an embedded document. The breach puts many PSNI officers at risk, especially because in March the threat level for Northern Ireland-related terrorism was raised from substantial to severe.

While private organisations aren’t obliged to answer Freedom of Information requests, there are still lessons to be learned from this data breach:

Access Management

The implementation of proper access management could have prevented this leak. With access management, information can be restricted and the junior staff member would have had to ask to access the information, probably from someone more senior who at that point could have stopped the information leak.

One method of implementing access management is to follow the information security standard ISO 27001. Indelible Data offers comprehensive consultancy to help your organisation achieve ISO 27001 including template policies and procedures to keep staff informed.

Over-reliance on Excel

Over reliance on Excel for the storage of sensitive information is another contributory factor to the breach.

Ideally sensitive information should be held on separate, encrypted databases, with strict access management requirements.

This ‘over-reliance’ on excel is common across private and public organisations, probably because colleagues are familiar and feel comfortable with the software.

However, as shown with the PSNI breach, this can have catastrophic consequences.

Inadequate Training

It’s been reported that the staff member who mistakenly leaked the document was of junior level, highlighting a possible shortcoming in the training of new staff at PSNI.

While human error is a constant factor in any organisation, training can decrease the likelihood of errors and mistakes. Therefore, it’s crucial that staff are trained to responsibly handle data that’s relevant to their job role.

Indelible Data offers Security Awareness training either remotely or in person. For more information, email admin@indelibledata.co.uk

Conclusion

Basic policies, procedures, and technical controls can protect your organisation from most security breaches. This again proves the importance of certifications such as Cyber Essentials and Cyber Essentials Plus.