Personal information on 1,000 victims of crime, witnesses and suspects, has been posted online following a data breach at Norfolk and Suffolk police forces. The data, which was stored in a jointly-held repository, related to a range of offences including domestic incidents, sexual offences and hate crimes.
The leak was due to a technical issue that led to raw data being wrongfully included in responses to Freedom of Information (FoI) requests, issued over the last two years. The two forces admitted the breach today, and said they have started to contact those affected.
Data of over 1,000 citizens leaked by Norfolk and Suffolk police
The leaked data was stored on a system used by the two police forces. In a joint statement they said that they have yet to find any evidence that the information has been accessed by third parties.
It is thought the data was leaked alongside information that was requested via FoI requests relating to crime statistics, dating from April 2021 to March 2022.
In total, 1,230 people have been affected by the leak. The forces say they will have completed the process of contacting all the victims by the end of September. Eamonn Bridger, the assistant chief constable of Suffolk Police, who led the investigation on behalf of both forces, apologised for the incident on behalf of the police
“I would like to reassure the public that procedures for handling FoI requests made to Norfolk and Suffolk constabularies are subject to continuous review, to ensure that all data under the constabularies’ control is properly protected,” he added.
Data watchdog the Information Commissioner’s Office has been informed of the incident. Stephen Bonner, deputy commissioner at the ICO, said: “The potential impact of a breach like this reminds us that data protection is about people. It’s too soon to say what our investigation will find, but this breach – and all breaches – highlights just how important it is to have robust measures in place to protect personal information, especially when that data is so sensitive.”
Bonner said the ICO is investigating the breach, as well as a separate breach reported in November 2022.
The charge sheet of `police data mishaps
Last week the Police Service of Northern Ireland (PSNI) suffered a similar breach when information on a “substantial number” of the PSNI’s 10,000 staff was made public online in error as part of an FoI request. It was taken down hours later, but many staff reportedly fear their identities being made public could see them become the target for paramilitary groups.
Suffolk Police has also suffered from data handling issues in the past. Last November, a breach that led to sensitive information about sexual assault victims being posted online. Hundreds of victims had their names, addresses, dates of birth and details of alleged sexual offences committed, published on the force’s website. “Survivors of sexual violence who have reported to the police are entitled to lifetime anonymity,” the Suffolk Rape Crisis organisation said at the time.
And in December 2021, data was stolen from the Police National Computer, the shared database used by police forces across the UK. The leak was due to a software supply-chain attack by Russian ransomware gang Cl0p. The data was posted to the dark web, including close-up images of drivers recorded by automatic number plate recognition cameras, before being deleted shortly afterwards.
Leaks such as these highlight the difficulties law enforcement agencies have securing the data of citizens says Andrew Whaley, senior technical director at security vendor Promon. “Who needs hackers when you have law enforcement paving the way for data breaches?” he asks. “It’s one thing when individuals entrust their data with the private sector, but it is particularly egregious when public bodies leak personal information like this, as the victims have absolutely no way of mitigating against such breaches.”