Cumbrian Police accidentally publish all officers’ details online – Source: go.theregister.com

Cumbria Constabulary inadvertently published the names and salaries of all its officers and staff online earlier this year, making it the second UK force in a fortnight to admit disclosing personal information about its employees.

In this incident, the Cumbrian police admitted the names, salaries and allowances for all officers and staff were published to its website. It is understood to have occurred in the spring, and human error is being blamed for the unwitting disclosure.

In a statement, the force told The Register: “Cumbria Constabulary became aware of a data breach on Monday 6th March 2023 where information about the pay and allowances of every police officer and police staff roles as at 31st March 2022 was uploaded to the Constabulary’s website, which was a human error.”

The data also included names and positions of staff, but did not contain information about the locations where the posts were deployed or personal details such as address or date of birth, the statement said.

According to the force, the information was removed as soon as its inadvertent publication had been identified, but it did not say how long it had been online before the error was discovered.

Cumbria Constabulary said it immediately contacted all affected staff about the mistake, explained to them the impact of this disclosure was low and outlined the measures it had put in place to manage the leak and to prevent it happening again.

The incident was referred to the Information Commissioner’s Office (ICO – the UK data regulator), the force told us. It claims the ICO determined that no further action was necessary, beyond giving some advice and recommendations. The ICO was satisfied with the actions the Constabulary had taken and the robust steps which were put in place to prevent any further data breaches.

The ICO confirmed this to us: “Cumbria Constabulary made us aware of an incident in March 2023. The information provided was carefully assessed and the organization provided details about the steps taken in response to the incident. We provided data protection advice and concluded that no further action was necessary. We assess reported incidents on a case-by-case basis and any action is based on the specific facts and circumstances.”

The news follows last week’s leak involving the Police Service of Northern Ireland (PSNI), where a spreadsheet containing details of serving police officers plus civilian staff members was mistakenly posted online.

• Electoral Commission had internet-facing server with unpatched vuln
• Northern Ireland police may have endangered its own officers by posting details online in error
• Criminal records office yanks web portal offline amid ‘cyber security incident’
• UK police to spend tens of millions on legacy comms network kit
• UK government has ‘no clear plan’ for replacing ageing legacy IT estate, MPs report

That disclosure of information was potentially serious, as officers in Northern Ireland regularly face threats from extremists. While the police in Cumbria do not face the same kind of dangers, it is nonetheless worrying that two British forces should inadvertently publish information about their own officers within the space of a few months.

According to the Financial Times, the PSNI is bracing itself for fines following the news of the incident.

Chief constable Simon Byrne was reported to have been given a “grilling” by the force’s own oversight body, and said he was working on the assumption that it would be liable to penalties from the ICO or from officers bringing their own legal claims about the disclosure of their personal data. The ICO is currently investigating the incident. ®