The Police Federation of Northern Ireland has said there is a need for credible explanations from the PSNI following confirmation of a separate data breach containing details of hundreds of officers.
The PSNI is investigating the data breach involving the theft of documents, including a spreadsheet containing the names of more than 200 serving officers and staff. The documents involved in this breach were taken from a car in Belfast last month.
In a statement this evening, Liam Kelly, Chairman of the Police Federation which represents rank and file officers, said: "This confirmation by the service makes matters worse. Clearly, urgent answers are required. How did this happen? What steps were put in place to advise and safeguard so many colleagues.
"The major security breach was bad enough, but this heaps further additional pressure on the PSNI to produce credible explanations around data security protocols and the impact on officer safety.
"Speed is of the essence. This cannot be dragged out as officers of all ranks throughout the service are seeking reassurance and an effective action plan containing all necessary measures to counter the damage and minimise risk," he said.
It comes after the PSNI apologised yesterday after it emerged that some 10,000 officers and staff were affected.
The incident happened when the PSNI responded to a Freedom of Information request seeking the number of officers and staff of all ranks and grades across the organisation.
In the published response to this request a table was embedded which contained the rank and grade data, but also included detailed information that attached the surname, initial, location and departments for all PSNI employees.
The data was potentially visible to the public for between two-and-a-half to three hours.
Earlier, Mr Kelly said he has been "inundated" with messages from officers who are "shocked, dismayed and basically angry" after the data breach.
Liam Kelly said that the reality for a lot of PSNI officers is that they go to great lengths and do everything possible to protect their police identity and their role, due to the terrorist threat that is on them both on and off duty.
Speaking on RTÉ's Morning Ireland, Mr Kelly said: "So, when you hear that your own organisation has put some data into the public domain which could potentially compromise that, that has obviously led to justifiable anger and shock."
Going forward, he wants the PSNI to outline the steps it intends to take to support officers and their families, who are feeling vulnerable as a result of what has happened.
"They also need to outline what the mitigation and limitations that they are going to put in, in relation to the potential damage caused by this data breach," he added.
"And the investigation when it concludes will be able to quantify the exposure both online and identify the potential threat, risk and harm to individuals or groups of individuals."
Mr Kelly said some of the officers in some of the more sensitive roles might not be able to continue in those positions any longer due to what has happened.
"At the very top end of the spectrum, we could have officers who potentially may have to relocate - not only from their workplace but from their home address - if their information has gone into the hands of people who intend to cause them harm."
Speaking on RTÉ's Drivetime, the DUP's representative on the Northern Ireland Policing Board Trevor Clarke said it was "like something you'd see in a fictional movie or a drama".
He said he has been speaking with senior management at the PSNI and serving police officers.
"Clearly, they are dismayed by about how this could happen some of these individuals' families don't even know what to do and friends don’t know what to do.
"I’ve spoken to police officers today who are serving who have had a sleepless night last night concerned about the outworkings of all of this and where this could end."
In the data breach the surname, initial, rank, grade, locations, and departments for police officers across Northern Ireland were released.
"There are some different names out there who are working in very specialist roles, and I would be very concerned about them. I am not trying to alarm them anymore than they are already alarmed," Mr Clarke added.
"I think when you have got a very common name, I think it is less likely that people can identify you. But some of those more unique names or less popular names I think those people can be identified much more easily."
Mr Clarke will be attending an emergency meeting tomorrow with Chief Constable Simon Byrne.
He said it was too early to call for Chief Constable Byrne’s resignation and it was not helpful to jump to conclusions.
The PSNI is also investigating a separate data breach involving the theft of documents, including a spreadsheet containing the names of more than 200 serving officers and staff. The documents involved in this breach were taken from a car in Belfast last month.
Speaking on RTÉ’s Drivetime about this second breach, SDLP Assembly leader Matthew O'Toole said he agreed with his political counterpart Mr Clarke.
"It is extremely concerning. It is another situation in which data appears to have been compromised and officers put at risk, thankfully, significantly smaller number than last night's or yesterday's data breach.
"This is an extraordinarily dangerous position that has been created. And it is just frankly stunning that this has been allowed to happen in a situation where such sensitive data, personal data of serving police officers many of them are serving in sensitive roles."
He said the idea that this information was on a spreadsheet and was able to be downloaded by a junior member of staff and released raises many questions.
He added that Simon Byrne and senior leaders in the PSNI will need to provide convincing answers at the policing board tomorrow.
Cyber security experts react to PSNI data breach
Amid fears the information may have fallen into the wrong hands, cyber security experts have said tracking IP addresses, a unique address identifying a device on the internet or a local network, could help the authorities find out who viewed the data while it was online.
Mark Ryan, a professor in computer security at the University of Birmingham, said: "Typically, websites do have logs of what accesses are made so the website maintainer should be able to look at how many downloads there were, when they were and the IP address.
"There could be interesting information there. The log would contain the IP address. It would contain the date and the IP address of the browser."
He said the IP address may reveals details such as the user's geographic location.
He added: "Sometimes it is not very accurate but it's at least a start and you can find out who maintains and provides that IP address...
"In theory, you could even get back to an individual. In some cases at least, they could find out the person.
"One thing that makes it a bit complicated is there is a lot of IP address sharing going on, for example is someone downloaded it from an internet cafe."
Holly Williams, managing director of cyber security firm Akimbo Core, said it might be possible to trace who accessed the website, but she warned that if the data was downloaded and shared elsewhere this would be "very difficult to track".
On whether the authorities could track who viewed the FOI response while it was online, she said: "Yes, it could be possible. It wouldn't necessarily take GCHQ but it is possible to read through logs and see who has accessed a website.
"They could certainly look at the logs of the website to see who requested that, that would ordinarily, generally, disclose the IP address."
But she said that "if those people then shared that file the secondary share wouldn't be in those logs".
Jake Moore, a global cybersecurity adviser for the ESET software company, added: "What you probably will find is that anyone who did access that data, then those original and initial users would have been legitimate, innocent parties looking for the information that they were requesting in Freedom of Information.
"For illicit actors looking to access that incredibly sensitive information, it would be highly unlikely they would know it would appear in that very short time frame.
"However, all it takes is someone very savvy to realise that shouldn't have happened and release it on a platform such as Twitter. If that then got into dark web forums then yes it can be exploited, it would be exploited tenfold."
On tracking viewers, he said: "They should have a number of IP addresses that have been to that page but to know exactly who they may be is difficult."
David Stupples, a professor of electronic and radio engineering at City, University of London, said that "the breach seems to emanate from very lax security procedures".
He added: "Any security procedures should contain an audit function that will record who accessed the material and when.
"Online audit checks allow the authorities to trace the routing of data and should be able to limit distribution, so long as recipients can be trusted."
Reporting: PA
