View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 15, 2023updated 16 Aug 2023 8:17am

It’s a fair cop: Norfolk and Suffolk police admit data breach

The information, which should have remained confidential, was accidentally attached to a Freedom of Information (FoI) request.

By Claudia Glover

Personal information on 1,000 victims of crime, witnesses and suspects, has been posted online following a data breach at Norfolk and Suffolk police forces. The data, which was stored in a jointly-held repository, related to a range of offences including domestic incidents, sexual offences and hate crimes.

Norfolk and Suffolk police forces have collectively lost sensitive data of over 1,000 citizens. (Photo by Simon Annable/Shutterstock)

The leak was due to a technical issue that led to raw data being wrongfully included in responses to Freedom of Information (FoI) requests, issued over the last two years. The two forces admitted the breach today, and said they have started to contact those affected.

Data of over 1,000 citizens leaked by Norfolk and Suffolk police

The leaked data was stored on a system used by the two police forces. In a joint statement they said that they have yet to find any evidence that the information has been accessed by third parties.

It is thought the data was leaked alongside information that was requested via FoI requests relating to crime statistics, dating from April 2021 to March 2022.

In total, 1,230 people have been affected by the leak. The forces say they will have completed the process of contacting all the victims by the end of September. Eamonn Bridger, the assistant chief constable of Suffolk Police, who led the investigation on behalf of both forces, apologised for the incident on behalf of the police

“I would like to reassure the public that procedures for handling FoI requests made to Norfolk and Suffolk constabularies are subject to continuous review, to ensure that all data under the constabularies’ control is properly protected,” he added.

Data watchdog the Information Commissioner’s Office has been informed of the incident. Stephen Bonner, deputy commissioner at the ICO, said: “The potential impact of a breach like this reminds us that data protection is about people. It’s too soon to say what our investigation will find, but this breach – and all breaches – highlights just how important it is to have robust measures in place to protect personal information, especially when that data is so sensitive.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Bonner said the ICO is investigating the breach, as well as a separate breach reported in November 2022.

The charge sheet of `police data mishaps

Last week the Police Service of Northern Ireland (PSNI) suffered a similar breach when information on a “substantial number” of the PSNI’s 10,000 staff was made public online in error as part of an FoI request. It was taken down hours later, but many staff reportedly fear their identities being made public could see them become the target for paramilitary groups.

Suffolk Police has also suffered from data handling issues in the past. Last November, a breach that led to sensitive information about sexual assault victims being posted online. Hundreds of victims had their names, addresses, dates of birth and details of alleged sexual offences committed, published on the force’s website. “Survivors of sexual violence who have reported to the police are entitled to lifetime anonymity,” the Suffolk Rape Crisis organisation said at the time. 

And in December 2021, data was stolen from the Police National Computer, the shared database used by police forces across the UK. The leak was due to a software supply-chain attack by Russian ransomware gang Cl0p. The data was posted to the dark web, including close-up images of drivers recorded by automatic number plate recognition cameras, before being deleted shortly afterwards.

Leaks such as these highlight the difficulties law enforcement agencies have securing the data of citizens says Andrew Whaley, senior technical director at security vendor Promon. “Who needs hackers when you have law enforcement paving the way for data breaches?” he asks. “It’s one thing when individuals entrust their data with the private sector, but it is particularly egregious when public bodies leak personal information like this, as the victims have absolutely no way of mitigating against such breaches.”

Read more: AI will extend the scale and sophistication of cybercrime

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.