PSNI data breach that revealed details of officers could cost £240m in security and legal costs
A major PSNI data breach could potentially cost the force £240 million in security and legal costs, MPs have been told.
Assistant chief constable Chris Todd also told the Northern Ireland Affairs Committee that almost 4,000 officers and staff have come forward with concerns after their personal information was released online.
The committee is investigating the data breach in which details of around 9,500 PSNI officers and staff were mistakenly published last month in response to a freedom of information request.
The PSNI has confirmed the list, which included the surname and first initial of every employee, their rank of grade, where they are based and the unit they work in, is in the hands of dissident republicans.
Committee chair Simon Hoare asked Mr Todd if the PSNI had done an assessment of the cost of mitigating against the impact of the data leak.
Mr Todd said recovery costs around security measures were estimated at £24 million to £37 million.
He confirmed this did not include the cost of potential compensation claims.
He said: “In terms of individual litigation we naturally will plan for that eventuality.
“I would estimate that could be in the region of £150-180 million.”
Mr Hoare said: “We are talking in ballpark terms of an unexpected expenditure of about £230-240 million.
“Existing budgets could not sustain that?”
Mr Todd said: “No. We already have a funding gap of around £50 million.”
MP Robert Buckland asked how many people had viewed the information on the freedom of information request within the PSNI before it was released publicly.
Mr Todd said: “In a query of that nature four or five people.
“It has gone through a number of eyes, the mistake has not been rectified or identified which suggest that we have systems errors we need to address.”
Mr Hoare said: “It does beggar belief that everybody made the same mistake. The odds of four people not spotting such a glaring error would be very considerable.”
Mr Todd responded: “It was not glaring to the naked eye and that is part of the issue. The fact that the core dataset remained attached was not obvious to the naked eye.”
The committee chair said the breach “smacked of incompetence”.
Mr Todd said: “If an individual misses something you might immediately go to that conclusion, when two people miss it you may start to question that, in this case where four (people missed it), I think we need to look beyond incompetence on an individual human basis and look at the competence of the system and process which allowed that to happen.”
The senior officer said that by the weekend 3,954 members of the organisation had come forward to register concerns about their personal information being shared.
He said the information was viewed approximately 300 times online before it was taken down.
Mr Hoare said: “You have sought to assure us you are absolutely confident this was effectively human error and you have no concerns at all that this wasn’t a deliberate breach of data.
“I am finding it hard as a layman to understand why four people didn’t spot it over a period of time but the recipient within two and a half hours does.
“I am not writing the plotline of Line Of Duty but it just strikes me as stretching credulity a little too far.”
Mr Todd said he had no concerns that the leak was done deliberately.
He added: “There is an ongoing investigation into how the leak happened.
“The initial assessment was very clear there was no mal-intent in any of the individuals involved in this breach.”
Former chief constable Simon Byrne had been expected to appear as a witness before the committee before he resigned from his position this week.
Want a quick and expert briefing on the biggest news stories? Listen to our latest podcasts to find out What You Need To Know.