Some 200 police officers and staff who had their details stolen were not told about the security breach for almost a month, the Police Service of Northern Ireland has confirmed.
A police-issued laptop, radio and documents were stolen on 6 July from a car that is understood to belong to a superintendent.
The documents included a spreadsheet containing the names of more than 200 serving officers and staff.
The PSNI’s Information Security Unit was informed on 27 July, but members of staff involved were not told until 4 August – almost a month after the data breach took place.
The force said the laptop and radio were deactivated shortly after the theft and it was “confident no data has been lost from these devices and they are of no use to any third party”.
It said: “The precise nature of the missing data had to be confirmed before we could inform our officers and staff on August 4. We have worked with our Data Protection Officer and sought legal advice and guidance to ensure the information we provided to our employees was accurate.”
A week of damaging data breaches
The theft was the second damaging data breach for the PSNI after the details of 10,000 officers and staff were published online for a number of hours on Tuesday.
Members of the force were left “incredibly vulnerable”, with surnames, initials, the rank or grade, the work location and departments of all PSNI staff compromised.
Officers’ and civilians’ private addresses were not exposed.
It also revealed members of the organised crime unit, intelligence officers stationed at ports and airports, officers in the surveillance unit and almost 40 PSNI staff based at MI5’s headquarters in Holywood, the Belfast Telegraph reports.
The PSNI declared a “critical incident”. The force apologised after it inadvertently published the information in relation to a Freedom of Information (FOI) request on Tuesday.
The breach came just hours after the Electoral Commission revealed “hostile actors” managed to hack its systems, exposing the data of more than 40 million voters.
How did the first breach take place?
Explaining how exactly the breach happened, PSNI Assistant Chief Constable Chris Todd said: “What’s happened is we’ve received a Freedom of Information request, that’s quite a routine inquiry, nothing untoward in that.
“We’ve responded to that request, which was seeking to understand the total numbers of officers and staff at all ranks and grade across the organisation, and in the response, unfortunately, one of our colleagues has embedded the source data, which informed that request.
“So, what was within that data was the surname, initial, the rank or grade, the location and the departments for each of our current employees across the police service.”
When asked how useful the information would be to terrorist organisations, Mr Todd said the breach is of “significant concern” to many colleagues and information on how they can protect their own personal security has been passed down.
Mr Todd said the information was mistakenly made public for approximately two and a half to three hours after being published at 2.30pm on Tuesday afternoon.
The data breach was brought to his attention at 4pm and was then taken down within the hour.