Cumbria Police has acknowledged a data breach that resulted in online publication of names and salaries for all its personnel.
This incident follows an “industrial scale breach of data” at the Police Service of Northern Ireland (PSNI) last week, which saw certain details about approximately 10,000 officers and personnel unintentionally exposed online for some hours.
Cumbria, which is one of the smallest police forces in Britain, told The Guardian that the breach occurred due to human error and that the names of officers and staff as well as their positions were exposed as a result of the incident.
Even the details of officers in sensitive roles were uploaded to the internet. The breach occurred in March and remained undisclosed until now.
A total of 1,304 police officers, 756 staff members, and 52 police community support officers were impacted by the incident.
“Cumbria Constabulary became aware of a data breach on Monday March 6 2023 where information about the pay and allowances of every police officer and police staff roles as at March 31, 2022 was uploaded to the Constabulary’s website, which was a human error,” the police force said.
“The pay and allowance data also included names and position, however, it did not contain information about where the posts were deployed from or personal details such as date of birth and address.”
Once Cumbria Constabulary became aware of the breach, it said it promptly reached out to every individual affected by the incident and the information was removed. The force said the impact of the breach was minimal.
The police force has taken steps to address the breach, implementing measures to both manage the situation and prevent its recurrence.
The breach was reported to the Information Commissioner’s Office (ICO).
According to Cumbria police, the ICO concluded that no additional actions were required, but it did provide guidance and suggestions to the police as part of its response. The ICO was satisfied with the measures undertaken by the constabulary and the comprehensive precautions implemented to prevent any subsequent data breaches.
“Cumbria constabulary made us aware of an incident in March 2023. The information provided was carefully assessed and the organisation provided details about the steps taken in response to the incident,” an ICO spokesperson said.
“We provided data protection advice and concluded that no further action was necessary. We assess reported incidents on a case-by-case basis and any action is based on the specific facts and circumstances.”
Although the data breach involving the Cumbria force is of a lesser magnitude than the one experienced by the PSNI, it still stands as an embarrassing failure to keep sensitive data secure.
On Tuesday, the PSNI disclosed a data breach that also occurred as a result of human error. The breach led to the inadvertent online exposure of delicate information concerning all current officers and staff members for a duration of several hours.
The details were mistakenly published in response to a Freedom of Information (FOI) request and included the last names, initials, ranks or positions, work locations and departments of all PSNI personnel.
PSNI chief constable Simon Byrne later said that “dissident republicans” had claimed to possess information exposed in the data breach, which could be used to target people working for the organisation.
He added that the police force was providing guidance to its officers and personnel regarding possible threats and risks.