Norfolk and Suffolk Police data breach: Data of victims and witnesses included in FOI responses
Two police forces have admitted breaching the data of 1,230 people – including victims of crime and witnesses.
Norfolk and Suffolk constabularies said a “technical issue” led to raw data being included within files produced in response to Freedom of Information (FOI) requests about crime statistics.
It included information related to crime reports for a range of offences, including domestic incidents, sexual offences, assaults, thefts and hate crimes.
In a joint statement, the constabularies said the data was hidden from anyone opening the files.
However, they admitted it should not have been included in the responses, which were issued between April 2021 and March 2022.
They said “strenuous efforts” had been made to determine if the data released had been accessed by anyone outside policing.
“At this stage, we have found nothing to suggest that this is the case,” the constabularies said in their statement.
Assistant Chief Constable of Suffolk Police, Eamonn Bridger, said: “We would like to apologise that this incident occurred, and we sincerely regret any concern that it may have caused the people of Norfolk and Suffolk.
“I would like to reassure the public that procedures for handling FOI requests made to Norfolk and Suffolk constabularies are subject to continuous review to ensure that all data under the constabularies’ control is properly protected.”
The forces said they would notify all 1,230 people whose data had been breached.
This will be done via a letter, over the phone, or, in some cases, face-to-face, depending on “what information was impacted and what support is required”
Officers expect this process to be completed by the end of September this year.
“If members of the public are not contacted by the constabularies, they do not need to take any action,” the forces said in a statement.
Cybersecurity expert Muhammad Yahya Patel, lead security engineer at Check Point, told Sky News it was too early to know how protected the data really is.
“When they talk about the data being ‘hidden’, it could be the files are encrypted, documents are password protected, or something as simple as a hidden Excel spreadsheet,” he said.
“It’s not a straightforward exercise to access protected data. But the language used means we can’t be sure yet specifically how protected it is.
While there is no suggestion the files have ended up in the hands of a bad actor, Mr Patel said recent incidents stress the need for greater education for anyone handling sensitive data at work.
“We need a more thorough review of the controls we’re placing around sensitive data,” he said.
Mr Patel said that given Norfolk and Suffolk’s responses were issued some time ago, it could be a sign police forces have been asked to review their processes and more historic breaches could come to light as a result.
It comes just days after a separate data breach incident, involving The Police Service of Northern Ireland (PSNI).
The force apologised earlier this month for a self-inflicted security breach after it inadvertently published the surname, initials, the rank or grade, the work location and departments of all PSNI staff in response to an FOI request.
It also revealed members of the organised crime unit, intelligence officers stationed at ports and airports, officers in the surveillance unit and almost 40 PSNI staff based at MI5’s headquarters in Holywood, the Belfast Telegraph reported.
The data was potentially visible to the public for between two-and-a-half to three hours.