UK police data breach exposes victim information

The UK's Norfolk and Suffolk police constabularies have disclosed the accidental exposure of personal data belonging to more than 1000 individuals, including victims of crime. The agencies said they identified an issue relating to a very small percentage of responses to Freedom of Information (FOI) requests for crime statistics, issued between April 2021 and March 2022.

A technical issue led to some raw data belonging to the constabularies being included within the files produced in response to the FOI requests in question. The data was hidden from anyone opening the files, but it should not have been included, an official statement read.

The disclosure came just a few days after the Police Service of Northern Ireland (PSNI) admitted to suffering two separate data breaches. The first centred on the exposure of information on serving police officers and civilians in response to an FOI request from a member of the public relating to officer rank and staff grades. An error led to the sharing of a large Excel spreadsheet containing the surnames and initials of current employees alongside the location and department within which they work.

The second involved the theft of documents including a spreadsheet containing the names of more than 200 serving police officers and staff from a "private vehicle" in the Newtownabbey area in Northern Ireland.

Exposed personal identifiable information related to victims, witnesses, and suspects

The affected data in the Norfolk and Suffolk police cases was information held on a specific police system and related to crime reports, the statement read. The data includes personally identifiable information on victims, witnesses, and suspects, as well as descriptions of offences. It related to a range of offences, including domestic incidents, sexual offences, assaults, thefts, and hate crimes.

"A full and thorough analysis into the data impacted has now been completed and today, we have started the process of contacting those individuals who need to be notified about an impact to their personal data," the statement continued. This will be done via letter, phone, and in some cases face to face depending on what information was impacted and what support is required. This process is expected to be complete by the end of September with a total of 1,230 people whose data has been breached to be notified.

ICO has been notified of the data breach

The forces said that people affected by the breach will be provided with all necessary information including what personal data specific to them has been impacted and details of who to contact for support.

"A dedicated specialist team has been set up to handle any queries about this incident. Strenuous efforts have been made to determine if the data released has been accessed by anyone outside of policing." At this stage, there is no evidence to suggest that this is the case, they added.

"We would like to apologize that this incident occurred, and we sincerely regret any concern that it may have caused the people of Norfolk and Suffolk," said assistant chief constable of Suffolk Police, Eamonn Bridger.

The Information Commissioner's Office (ICO) has been notified and is being kept updated.