More than three days on from the data breach in which the Police Service of Northern Ireland (PSNI) accidentally published the personal and employment details of every police officer and civilian member of staff, questions are continuing to mount. How did it happen, why was it not prevented and just how far-reaching will the consequences be?
Q. Just how big was this data breach?
Big. “Industrial scale” was how Chief Constable Simon Byrne described it. The information released included the surname, first initial, workplace location and unit of every serving police officer and civilian staff member, full and part-time; more than 10,000 people.
In some instances, this detail was highly sensitive, particularly for individuals working in intelligence or covert operations.
A total of 40 PSNI staff were revealed to be based at MI5′s Northern Ireland headquarters in Holywood, Co Down.
PSNI investigate sudden death of woman in Co Down
Convicted murderer on the run after day release from Derry prison
Publishing photos of riot ‘persons of interest’ was ‘necessary’ and ‘proportionate’, Drew Harris says
PSNI confirms investigation into alleged incident among Armagh All-Ireland squad in US
[ Explainer: What we know about PSNI’s ‘major data breach’Opens in new window ]
All of this information was published online, and available for 2½ to three hours on Tuesday afternoon before the mistake was identified and it was removed from the site, though by that stage it was already circulating.
It is not clear if the breach was first identified by the PSNI or the Belfast Telegraph, which broke the story after it was contacted by the relative of a serving police officer.
Q. How did this happen?
The data was provided in error in a PSNI response to a Freedom of Information (FoI) request by a member of the public who asked for statistical information on the total PSNI strength and how many officers of each rank.
[ PSNI leadership urged to give ‘full response’ after data breachOpens in new window ]
The response was published on an FoI website, but with it was the “source data” — a separate tab which, when clicked, revealed a spreadsheet containing the additional detail.
One of the questions that will form part of the police’s investigation is why this was not caught in the checks and balance presumably in place to protect such sensitive data.
Q. Why is this so serious?
Had this happened to any police force, not least An Garda Síochána, it would be serious; that it happened to the PSNI — where officers and staff still operate in a heightened security situation and are potential targets for dissident republicans — makes it all the more so.
This was demonstrated brutally earlier this year when dissident republicans attempted to murder senior police detective John Caldwell after a youth soccer training session in Omagh.
Members of the PSNI still check under their cars for bombs and, particularly for Catholic recruits, joining the force can require sacrifices, such as moving to a different area or quitting sports teams.
Dissident republicans claim they have the information, though the chief constable said this has not been verified. If true, there are clear security implications. There is also, he added, the “broader question of trust, that data you would expect to be held and guarded preciously has gone into the public domain”.
Q. Do dissident republicans have the information?
Difficult to know, said Marisa McGlinchey, assistant professor of political science at Coventry University.
“It would definitely be in their interest to say they do, regardless, but the fact this information was publicly available on the internet for three hours suggests it is likely they may have got it.
“Dissident groups are always keen to gather intelligence and to seize opportunities and if this information was spotted it would have been gathered very quickly, as the value of it would have been immediately apparent.”
[ PSNI officers still check under their cars before leaving home Opens in new window ]
[ Police and politicians react to ‘appalling’ breach affecting thousands of staffOpens in new window ]
The most likely group to have acquired it, said Dr McGlinchey, is the New IRA. If they do have it the “security implications are great” and it will boost morale within dissident organisations.
It would be in the police force’s interest not to verify the claim “as the PSNI will not want to shore up any suggestions that dissidents possess this intelligence, thus increasing their capability and morale”.
Q. What happens now?
The PSNI has apologised, launched an investigation and is attempting to mitigate the “unprecedented crisis”.
More than 900 staff, and counting, have raised concerns about their safety. And an assessment is under way about the possible redeployment of some officers. Moreover, the PSNI has also issued updated security advice to staff.
[ PSNI officers and staff not allowed to attend Belfast Pride parade in uniformOpens in new window ]
Each of the 10,000 people identified is also assessing their own security situation. As Supt Gerry Murray, chairman of the Catholic Police Guild — a representative organisation for Catholic officers and civilian staff in the PSNI — put it, “they’re vulnerable and they’re anxious and they’re trying to comprehend all that has happened over this short period of time”.
One Catholic officer, originally from the South, told Joe Duffy on RTÉ's Liveline that he had decided to leave the force and there are concerns this will make Catholics more reluctant to join the PSNI.
Harder to quantify at this stage is the reputational damage to the police force and the financial consequences, which it is estimated could run to £40 million-£50 million (€46 million to €58 million) in fines and compensation alone.