back to article Northern Ireland cops count human cost of August data breach

An official review of the Police Service of Northern Ireland's (PSNI) August data breach has revealed the full extent of the impact on staff. The incident, which affected 9,483 officers, was branded "the most significant data breach that has ever occurred in the history of UK policing" by Commissioner Pete O'Doherty of the …

  1. wolfetone Silver badge

    The very least the PSNI could do is rehome the officers affected by the breach. It's the bare minimum really that you could do if your mistake has put people's lives in very real danger.

    But of course not. Someone fucks up, everyone is all very sorry until it comes time to making it right. At that point they might as well go "Well, we're not that sorry".

    1. Valeyard

      surely there are follow-on issues; if i was looking at buying a house that was vacated as a potential terrorist target I'd want to know

      1. pig

        That is a bloody good point.

      2. I could be a dog really Silver badge

        That was the very first thing that came to mind when I read "relocating". You can be sure that at least some of the people who would use violence won't be the sharpest pencils in the box and be able to figure out that the house is now home to someone completely unrelated to the police - or perhaps they'll consider anyone buying a house from a police officer as "fair game" for dealing with them.

        1. Valeyard

          it has happened before, see "the border fox". went to kidnap an MP... kidnapped someone who'd bought the target's house and tortured him anyway

  2. Doctor Syntax Silver badge

    "consider the implications of the Report and a timeframe for the completion of relevant actions"

    Another cause for delay in getting round to tackling with utmost dispatch for those officers put at risk.

  3. Mike 137 Silver badge

    "DPIAs were highlighted by the ICO as an area in need of attention"

    The fundamental problem with DPIAs (as with practically all self conducted risk assessments) is that what you take for granted biases your judgement. This is commonly coupled with a definition of risk as risk to the organisation, not risk to those it serves -- in the data protection case, risk to data subjects

    The only solution to this is summed up by "Crow's Law" quoted by R. V. Jones in "Most Secret War" -- "do not think what you want to think until you know what you ought to know". Sadly, adopting that principle takes a both a leap of imagination and a substantial effort the enthusiasm for which is typically absent in large organisations, particularly in strongly hierarchical ones, which tend to rely on procedures handed down from above without much scrutiny of their applicability or application in the front line. So they tend not to work in practice.

    1. Anonymous Coward
      Anonymous Coward

      Re: "DPIAs were highlighted by the ICO as an area in need of attention"

      That's assuming DPIAs are performed at all, and that they are not performed *after* the fact (i.e. the possible processing a DPIA is intended to consider has already been implemented and the retrospective DPIA is simply a CYA measure).

  4. Bitsminer Silver badge

    Threats

    "With the significant threats facing policing by external cyber threat actors, we can't allow ourselves to be vulnerable from within and must do everything in our power to protect our data, information, and infrastructure, and give our staff and members of the public, the absolute confidence and trust that we will protect their information," said O'Doherty.

    The reality is the above paragraph applies to every organization on the planet, not simply PSNI.

    I wonder how many achieve these goals.

    1. Michael Wojcik Silver badge

      Re: Threats

      I wonder how many achieve these goals.

      None. No organization does "everything within [its] power" to protect data, because if it did, it would have no resources remaining for any other purpose.

      Spokespeople have to spout fine-sounding words with vague and overstated commitments. When it comes to actual security policies and practices, however, reality must intrude, or the effort will be unproductive.

      Similarly, no one who understands security should ever give "absolute trust" in anything. That's fundamentally true at an epistemological level; you shouldn't assign probability 1 to any hypothesis,1 because, by Descartes' "evil genius" argument, your sensory and/or cognitive capabilities might be compromised.

      1Except the hypothesis that something is considering hypotheses and assigning probabilities to them (cogito ergo sum). But even that might only be occurring for an infinitesimal period of time, as you might be a Boltzmann brain.

      1. I could be a dog really Silver badge

        Re: Threats

        Which is why virtually all safety/security rules etc. use the word "reasonable" - i.e. take all measures reasonably practical. What is "reasonable" varies depending on context - for membership of your local (say) bowling club, the bar is fairly low; but for information that someone is a serving police officer in a hostile environment like NI, the bar is (or should be) very high.

  5. Winkypop Silver badge

    “ethno-nationalist conflict”

    A very good article, most enlightening. It goes into much more care and detail than most I’ve read on the subject.

    However why not just call it what it is: religious-based hatred?

    1. Anonymous Coward
      Anonymous Coward

      Re: “ethno-nationalist conflict”

      > However why not just call it what it is: religious-based hatred?

      Not all Nationalists are Catholic, not all Loyalists are Protestants.

      Calling it "religious-based hatred" is, at best, a gross simplification.

      1. Michael Wojcik Silver badge

        Re: “ethno-nationalist conflict”

        Yeah. There might be a few centuries' worth of history complicating the situation just a bit.

        It's not even all ideological, of course. There were, and are, any number of personal motivations (revenge, for example), and some years prior to the Accords I read a lengthy analysis about how much of the conflict had devolved into criminal organizations running straight-up extortion rackets under the guise of adherence to one cause or the other.

        War is pretty much never simple.

    2. Valeyard

      Re: “ethno-nationalist conflict”

      However why not just call it what it is: religious-based hatred?

      since when were the political views of whether to remain in the UK or reunite with Ireland turned into religions?

      There are correlations that various followers of certain religions may align more to one side or the other but that's at best a nice heuristic and there are many exceptions (me being one of them which leads to some light ribbing from family)

  6. ShingleStreet

    I misread who had been tasked with the review…

    I live in Northern Ireland, where we we have had no functioning government for a couple of years, a bunch of incompetents arguing with each other about whether they should go back to their desks in Stormont and continue arguing there and a collection of public services that would be on their knees if only they had any knees left to be on.

    Having said all that, I thought we had plumbed a new low when I misread (and believed, sadly) that Pete Doherty had been tasked with this review.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like