back to article You're not seeing double – yet another UK copshop is confessing to a data leak

Norfolk and Suffolk police have stepped forward to admit that a “technical issue” resulted in raw data pertaining to crime reports accidentally being included in Freedom of Information responses. The latest blunder follows a litany of recent errors elsewhere in the forces: Police Service in Northern Ireland (PSNI) last week …

  1. JimmyPage
    FAIL

    The data was hidden from anyone opening the files

    What does that even mean ?

    1. Hans Neeson-Bumpsadese Silver badge

      Re: The data was hidden from anyone opening the files

      It means the data was in an Excel file and was completely visible to anyone who spotted that the column numbers weren't sequential and then clicked on the 'Unhide' option.

      1. wolfetone Silver badge

        Re: The data was hidden from anyone opening the files

        Seems quite complicated.

        You sure they just didn't change the text colour to white?

        1. Dan 55 Silver badge

          Re: The data was hidden from anyone opening the files

          I'm sure they used higher grade protection than that, e.g. put the data starting at column AAA and row 65536.

      2. Yet Another Anonymous coward Silver badge

        Re: The data was hidden from anyone opening the files

        >to anyone who .... clicked on the 'Unhide' option.

        So that would be a hacking charge

      3. tinman
        Facepalm

        Re: The data was hidden from anyone opening the files

        I'd imagine it's more likely that they used a pivot table to select the data requested in the FOI but then when they copied that informaton to send it on they just used PASTE (CTRL+V) instead of using PASTE VALUES. That meant that the full dataset was embedded in the table and could be uncovered with a few clicks, even if the table had been pasted into a fresh excel workbook

        It happened to me where I made an internal request for the numbers of staff at different grades in different roles (the same request as was made in the recent PSNI leak), but noticed the file was far bigger than I would have expected. A couple of clicks later I found I had also been sent the names, dates of birth and National Insurance numbers for all 20K staff in our organisation, all the way up to the CEO. I resisted the temptation to start selling on the Dark Web

  2. anothercynic Silver badge

    Isn't it seeing triple now?

    I mean, first it was NI Police via a FOIA request, then Cumbrian Police via a FOIA request, and now Norfolk & Suffolk? That's three I count so far.

    Looks like people are being lazy when replying to FOIA requests, or are not given the appropriate training to ensure FOIA requests don't leak personal data.

    1. Anonymous Coward
      Anonymous Coward

      Re: Isn't it seeing triple now?

      I'm tempted to submit an FOI request asking how many people at each police force deal with FOI requests, and see if the names of the specific clerical staff end up in there somewhere.

      1. cyberdemon Silver badge
        Trollface

        Re: Isn't it seeing triple now?

        I suspect that the police will tell you that they are no longer planning to respond to any FOI requests ever again, because they are obviously such a massive security issue.

        Cynic? Moi?

    2. Anonymous Coward
      Anonymous Coward

      Re: Isn't it seeing triple now?

      Quadruple. Norfolk and Suffolk are separate police forces.

      1. Anonymous Coward
        Anonymous Coward

        Re: Isn't it seeing triple now?

        "based in the east of England " is a bit of an odd phrase

        I' would have used "cover their respective counties" but that might confuse LeftPondians, so could just say "In East Anglia"

        1. Anonymous Coward
          Anonymous Coward

          Re: Isn't it seeing triple now?

          I don't think it's a particularly odd phrase. Saying "their respective counties" is only meaningful if you know where Norfolk and Suffolk are. Likewise, referring to East Anglia" is only meaningful if you know where East Anglia is (and it's a stretch to imagine that someone knows where East Anglia is, but doesn't know that it's affectively a synonym for Norfolk & Suffolk)

          1. Doctor Syntax Silver badge

            Re: Isn't it seeing triple now?

            East of England includes everywhere from Northumberland to Kent.

            1. Steve Button Silver badge

              Re: Isn't it seeing triple now?

              Well, no. East of England generally refers to Norfolk and Suffolk. At least on the weather forecast, which is all that matters.

              Northumberland is in The North, and Kent is in The South East.

              Also, I'm not sure why they lump Norfolk and Suffolk together and in Suffolk we don't tend to marry our siblings (apart from Shotley, which used to get cut off regularly by the sea - so not much else to do I guess?)

              1. snowpages

                Re: Isn't it seeing triple now?

                The official EU Region included Cambridgeshire, Bedfordshire and Hertfordshire as well.

                I guess we can now define it however we like.

                Taking back control (TM)!

              2. Hans Neeson-Bumpsadese Silver badge
                Headmaster

                Re: Isn't it seeing triple now?

                Northumberland is in The North

                Yes...and Manchester isn't.

                (spoken as a Northumbrian)

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Isn't it seeing triple now?

                  Exactly.

                  I’ve been telling my Mancunian born wife this for years.

                  Howay the lads!

                2. CrazyOldCatMan Silver badge

                  Re: Isn't it seeing triple now?

                  Northumberland is in The North

                  Yes...and Manchester isn't.

                  From the perspective of my wife (Plymouth-born, father was Cornish) pretty much *everything* is in the North. Even Brizzle. Let alone my birthplace (Birmingham) - they are all 'up the line'.

              3. Doctor Syntax Silver badge

                Re: Isn't it seeing triple now?

                "East of England generally refers to Norfolk and Suffolk. At least on the weather forecast, which is all that matters."

                Context was post worrying about confusing Left-Pondians who won't be listening to UK weather forecasts. Taken literally by someone with no other context the East of England would literally* be anywhere from Northumberland to Kent inclusive.

                * Literally literally.

                1. Steve Button Silver badge

                  Re: Isn't it seeing triple now?

                  It was all just a set-up so I could get in a dig about Norfolk, which I like to do at every opportunity.

                  It's my only form of sport, and mostly risk-free as they tend not to be able to catch me as the webbed feet slow them down on land.

            2. anothercynic Silver badge

              Re: Isn't it seeing triple now?

              Not really, does tend to include counties like Lincolnshire and Rutland at times though, rather than as part of the 'East Midlands'.

              Northumberland is North East proper, Humberside is... I dunno, North East too? That's like East Yorks like York & co, innit?

          2. Gene Cash Silver badge
            Coat

            Re: Isn't it seeing triple now?

            Oh I'm American, I know where East Anglia is! It's just north of Nambia, right?

            1. jmch Silver badge
              Trollface

              Re: Isn't it seeing triple now?

              East Anglia is obviously to the East of West Anglia!!

              1. graeme leggett Silver badge

                Re: Isn't it seeing triple now?

                There is a College of West Anglia but it's campuses are all within the area of East Anglia

              2. CrazyOldCatMan Silver badge

                Re: Isn't it seeing triple now?

                East Anglia is obviously to the East of West Anglia!!

                And we are very definately not at war with them, despite what you might have heard last month.

                And why does Google Translate not include a 'Saxon' option eh?

          3. CrazyOldCatMan Silver badge

            Re: Isn't it seeing triple now?

            that someone knows where East Anglia is

            Simple - it's the territory of the East Angles. As opposed to the West Saxons or northern Norse.

          4. tiggity Silver badge

            Re: Isn't it seeing triple now?

            And arguably East Anglia in addition to Norfolk & Suffolk is generally regarded as including Cambridgeshire too* So east Anglia could be confusing too

            * And occasionally, to complicate things, some people argue for including parts of other areas too!

      2. awavey

        Re: Isn't it seeing triple now?

        technically yes they are separate forces, but they share alot of back office functions and some units are combined force units, so it absolutely makes sense that a FOI request data breach like this would impact both forces as a single entity, because the data spreadsheet was probably put together by the same group.

        I just hope theyve remembered to redact the online copies that would have been released

    3. Doctor Syntax Silver badge

      Re: Isn't it seeing triple now?

      "or are not given the appropriate training to ensure FOIA requests don't leak personal data"

      More likely this. A further possible cause is someone being handed the job just before the deadline and not having time to do the job.

      Whatever the factors there seems to be a collective lack of quality in this area. Perhaps the forces could join together to set up a central, properly staffed office to which it would be mandatory to send responses to review and release.

      1. Yet Another Anonymous coward Silver badge

        Re: Isn't it seeing triple now?

        >join together to set up a central, properly staffed office

        But that would allow the enemy access to their data

        1. anothercynic Silver badge

          Re: Isn't it seeing triple now?

          And it would also raise concerns about institutional overreach. The ACPO and the NPCC (in particular the former before it was disbanded and replaced by the NPCC) were/are accused of excessive data harvesting and objecting en masse to privacy measures, although the NPCC would the the natural place to put this kind of central FOIA request office...

          1. Anonymous Coward
            Anonymous Coward

            Re: Isn't it seeing triple now?

            NPCC already operarte a central clearing house function for FOI requests that are considered 'problematic' by Forces.

            When asked difficult questions via FOI it is not unusual for the send to be contacted by that function and asked why they are asking - its happened to me twice.

            Quite illegal of course - and I told them to bolt, but a standard practice.

    4. Fruit and Nutcase Silver badge
      Alert

      Re: Isn't it seeing triple now?

      I fear the politicians will take the easy option of restricting scope of the FOI Act, as they don't like scrutiny and view FOI requests as hindering their right to act with impunity

  3. m4r35n357 Silver badge

    Captain paranoid

    Certain actors attempting to discredit FOI?

    1. hoola Silver badge

      Re: Captain paranoid

      But, and this is often ignored, there are huge issues dealing with FOIA requests where organisations will not be robust enough in responding to the serial requesters and vexatious requests.

      I would surmise that teh actual request may have come from the same source. There are people out there who do nothing but send out request after request.

      I am not excusing the mistakes but having been on the receiving end of some of these:

      An inventory of all our network equipment, manufacturer, model, purchase date

      The same for all storage and servers

      The square meter area occupied for teaching space compared to admin.

      The list goes on.

      Management and CIOs are scared to say no so people run round sorting all this crap out.

      FOIA has it's place however it is just being abused and most of the requests are absolutely nothing to do with the original concepts when it was first setup.

      1. Robin

        Re: Captain paranoid

        Management and CIOs are scared to say no

        I'm not particularly up on this stuff, so it's a genuine question... what happens if they do say no? Surely there's a mechanism in the Act to tell people to do one if it's an unreasonable request?

        1. abend0c4 Silver badge

          Re: Captain paranoid

          The ICO has the details here.

          Of course, the UK government has gone out of its way to exploit every possible loophole in order to frustrate otherwise admissible requests.

          1. Robin

            Re: Captain paranoid

            Nice, thanks for the links! Interesting reading.

        2. jmch Silver badge

          Re: Captain paranoid

          "Surely there's a mechanism in the Act to tell people to do one if it's an unreasonable request?"

          Yes, absolutely, and also if it would cost too much.

        3. anothercynic Silver badge

          Re: Captain paranoid

          Organisations can look at the time it takes to gather the data, then work out how much that is in cold hard cash, and if it's over a certain limit, decline the request on the basis of cost and effort. They *can* charge you up to a certain amount for the FOIA request too, but if the amount exceeds the limit, they tend to turn it down.

          For example, a few years ago I made a request to Thames Valley Police about the number of accidents along a certain stretch of road, but because of the way the information was recorded, they couldn't provide exactly the information I requested because it would have cost too much to go through every single case recorded to get it (which is understandable). However, rather than refusing the request, TVP wanted to provide *something*, so they bracketed the request with provisos by saying "there are X number of cases in our system along the entire stretch of the road we're responsible for, but we can't tell you whether those cases included fatalities or injuries or not. They can include breakdowns, etc, effectively any report in which the road is mentioned".

          That's helpful to a degree, and the poor person having to go through every one of those cases to see if it was an accident or not, and whether it was in that specific stretch or not, probably cost more per hour than the information was worth.

      2. david 12 Silver badge

        Re: Captain paranoid

        What was that bit about "So far, Norfolk and Suffolk police reckon that data has not been accessed by anyone outside of policing"

        Does that mean that the FOI requests are coming from other police areas?

        (That would be in line with the way FOI requests are handled here: if you want any information, the way to request it is through a Freedom From Information Request).

      3. GruntyMcPugh

        Re: Captain paranoid

        Vexatious requests, oh dear, I work in local Govt, and luckily, some of our more vexatious citizens haven't realised FOIA means we have to respond, and instead just send emails to Councillors and the City Mayor. Most of our FOIA requests are salespeople fishing for information 'how much have you spent on Y in the last year' etc. The vexatious letters to the Mayor tend to be stuff like 'Do you shield people from the harmful effects of 5G in public libraries' etc.

        1. CrazyOldCatMan Silver badge

          Re: Captain paranoid

          Most of our FOIA requests are salespeople fishing for information

          Yup. We get that a lot too - especially as, for stuff bought through the Government Gateway, contract dates and awards are matters of public record. And bidding losers are *even* more likely to file lots of spurious FOI requests in order to try to make us reconsider. Likewise, suing us for rejecting their bid on the basis that 'we were prejudiced against them for x reason'.

          Fortunately, the team handling the contracts is very scrupulous about record keeping, in a form that makes responding to FOI relatively easy.

        2. Cynical Pie

          Re: Captain paranoid

          Sorry to tell you but those would potentially be valid FOI requests.

          They don't need to mention FOI or go to a central contact point. They just need to ask a question about/of the authority and go to the authority.

          Member of the public wouldn't see the distinction between members and the LA being a separate entity (which potentially they are for IG purposes) and the ICO would very much consider an FOI submitted to a member as being submitted to the Council for the purposes of FOI.

          I think your IG lead needs to do some staff training sharpish

  4. Howard Sway Silver badge

    The latest blunder follows a litany of recent errors elsewhere

    Somebody must be sat in an office somewhere trying desperately to think up a good excuse for all this.....

    "Following our investigation, we have concluded that no actual errors were made, the data was just going away on it's usual August Summer holidays"

  5. Spanners
    Big Brother

    Where's next?

    I suspect that Scotland will be next. Their very existence a a single item betrays huge political fiddling. It will then be something else that they can blame the former 1st minister for.

    1. Spazturtle Silver badge

      Re: Where's next?

      Scotland has already had a breech this week, they accidentally published all the personal details of all adopted and fostered children in Scotland.

      1. Doctor Syntax Silver badge

        Re: Where's next?

        "Scotland has already had a breech this week"

        No kilt?

      2. anothercynic Silver badge

        Re: Where's next?

        Wasn't the police though.

      3. Secon

        Re: Where's next?

        Actually the NRS said it was published on purpose as part of their normal activity and as such is NOT a reportable breach; but they've taken the data down whilst they review their way of working...

  6. elsergiovolador Silver badge

    Online Safety Bill

    Online Safety Bill will be fun. If your computer bricks, you will get your data back on darknet...

    1. Anonymous Coward
      Anonymous Coward

      Re: Online Safety Bill

      "Do you back up your data? Someone's backing it up. It ain't you." - A wise man in 2013

      1. Spanners
        Big Brother

        Re: Online Safety Bill

        I'm sure there was a Dilbert to that effect.

        Pity it is no longer available.

  7. xyz123 Silver badge

    ALL of these police authorities are "pre-punishing" police to try to get them to not go on strike for fairer pay and conditions.

    You'll notice not ONE single higher-ranking officers info was given away, as those were all removed "for reasons" shortly before the police authorities deliberately leaked the data.

    Now they're basically saying "if the police go on strike, someone might get access to EVEN MORE data about you and your fellow officers...."

    1. Anonymous Coward
      Anonymous Coward

      "ALL of these police authorities are "pre-punishing" police to try to get them to not go on strike for fairer pay and conditions."

      Eh? The police have been legally banned from striking since 1919.

      https://en.wikipedia.org/wiki/Police_strike#United_Kingdom

  8. Winkypop Silver badge
    Devil

    Bring out yer dead!

    A great time to fess up.

    Breach now and avoid the rush!

    1. Lurko

      Re: Bring out yer dead!

      Summer recess for parliament, meaning most MPs are happily sunning themselves in foreign climes, and a much more muted political reaction. Even when the loafers get back on 4 September, they're only around for a couple of weeks before swanning off for another 3-4 weeks for the "conference recess".

  9. ludicrous_buffoon

    Blame Bill

    This is the result of constantly making pointless changes to your user interface. It will only confuse some poor desk jockey further. They can't be bothered re-learning and re-training how to Excel because it will all be different in the next version anyway.

    Then because your product has penetrated so deeply into the crucial parts of society, this eventually happens. I'm certain it wont be the last time.

    1. FirstTangoInParis Silver badge

      Re: Blame Bill

      Guessing the problem is someone ran a report from an HR system that gave them the FOI data plus a pile more. Said report likely posted without understanding that said pile was still attached. As PSNI are now finding out, this is no laughing matter and will have repercussions for years to come.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like