October 27, 2025 | Organisational Information and Performance , Security and Data Protection
Request Number: FOI/15647
Category: Organisational Information & Performance - Security and Data Protection
Subject: Data Breaches
Request and Answer:
Your request for information has now been considered. Please see below in response to your request.
Request 1
Could you please provide a breakdown of the number of data breaches in each of the calendar years 2022, 2023 and 2024?
Request 2
Could you provide a breakdown into the nature of these breaches for each year 2022, 2023, 2004?
Answers 1 & 2
The Police Service of Northern Ireland records this information in respect of ‘data incidents’ and has provided the table below in response to your request:
| 2022 | 2023 | 2024 | |
|---|---|---|---|
| Incidents involving email | 3 | 12 | 20 |
| System Misuse | 17 | 19 | 5 |
| Paper docs | 16 | 31 | 13 |
| Miscellaneous | 3 | 14 | 10 |
| Total | 39 | 77 | 50 |
Partial NCND
In relation to cyber related data incidents, we are providing a Neither Confirm Nor Deny (NCND) response, the rationale for which has been explained below.
Section 1 of the Freedom of Information Act 2000 (FOIA) places two duties on public authorities. Unless exemptions apply, the first duty at Section 1(1)(a) is to confirm or deny whether the information specified in the request is held. The second duty at Section 1(1)(b) is to disclose information that has been confirmed as being held.
Where exemptions are relied upon Section 17(1) of FOIA requires that we provide the applicant with a notice which:
a) states that fact,
b) specifies the exemption(s) in question and
c) states (if that would not otherwise be apparent) why the exemption applies.
The Police Service of Northern Ireland (PSNI) can Neither Confirm Nor Deny that it holds some of the information relevant to your request as the duty in Section 1(1)(a) of the Freedom of Information Act 2000 does not apply by virtue of the following exemption(s):
Section 24(2) - National Security - The duty to confirm or deny does not arises if, or to extent that, exemption from s 1(1)(a) is required for the purpose of safeguarding national security.
Section 31(3) - Law Enforcement - The duty to confirm or deny does not arise if, or to the extent that, compliance with section 1(1) (a) would or would be likely to, prejudice any of the matters mentioned in subsection (1).
The full text of exemptions can be found at www.legislation.gov.uk and further guidance on how they operate can be located on the Information Commissioners Office website www.ico.org.uk.
‘Neither Confirm nor Deny’ (NCND)
There may be occasions when complying with the duty to confirm or deny under section 1(1)(a) would in itself disclose sensitive or potentially damaging information that falls under an exemption. In these circumstances, the Act allows a public authority to respond by refusing to confirm or deny whether it holds the requested information.
The decision to issue a ‘neither confirm nor deny’ response is not affected by whether we do or do not hold the information but relates to the consequences of confirming or denying the information is held. The starting point and main focus in most cases will be theoretical considerations about the consequences of confirming or denying that a particular type of information is held. The decision to neither confirm nor deny is separate from a decision not to disclose information and needs to be taken entirely on its own merits.
PSNI follow the Information Commissioner’s Guidance in relation to ‘NCND’ and you may find it helpful to refer to this at the following link:
https://ico.org.uk/for-organisations/guidance-index/freedom-of-information-and-environmental-information-regulations/when-to-refuse-to-confirm-or-deny-holding-information/
NCND Exemptions Explained
Harm in Confirming or Denying that Information is held
To confirm or deny whether any further information is held in respect of successful cyber-attacks resulting in Data Breaches would provide actual knowledge that where an attempt has been made, if it has or has not been successful. Confirming that such information is not held may assist potential attackers by indicating that an attack had gone undetected. Equally, confirming information is held would enable understanding of where attacks have been successful, and possible weaknesses exist. Attackers may then be able to tailor their methods to increase their chances of success.
To confirm or deny whether information is held in respect of any leaked data as a result of an attack would, in effect, confirm that there had been successful cyber-attacks made against the force, which would present harm as detailed above.
Furthermore, in order to counter criminal and terrorist behaviour it is vital that the police and other agencies have the ability to work together, where necessary covertly, in order to obtain intelligence within current legislative frameworks to ensure the arrest and prosecution of offenders who commit or plan to commit acts of terrorism, whereby their modus operandi may involve cyber-attacks on secure databases. In order to achieve this goal, it is vitally important that information sharing takes place with other police forces and security bodies within the United Kingdom in order to support counter-terrorism measures in the fight to deprive terrorist networks of their ability to commit crime. To confirm or deny specific details of any breaches of information technology and security would be extremely useful to those involved in terrorist activity as it would enable them to map vulnerable information security databases.
Public Interest Considerations
Section 24(2) National Security
Factors in favour of confirming or denying that information is held
The public are entitled to know how public funds are spent and how resources are distributed within an area of policing. To confirm information is held regarding successful cyber-attacks causing Data Breaches would enable the general public to hold PSNI to account, ensuring all such breaches are recorded and investigated appropriately. With the call for transparency of public spending this would enable improved public debate.
Factors against confirming or denying that information is held
Security measures are put in place to protect the communities we serve. As evidenced within the harm, to confirm whether any cyber-attacks have been successful would highlight to terrorists and individuals intent on carrying out criminal activity vulnerabilities within PSNI which could be further exploited.
Taking into account the current security climate within the United Kingdom, no information (such as the citing of an exemption which confirms information pertinent to this request is held, or conversely, stating ‘no information is held’) which may aid a terrorist should be disclosed. To what extent this information may aid a terrorist is unknown, but it is clear that it will have an impact on a force’s ability to monitor terrorist activity.
Irrespective of what information is or isn’t held, the public entrust the PSNI to make appropriate decisions with regard to their safety and protection and the only way of reducing risk is to be cautious with what is placed into the public domain.
The cumulative effect of terrorists gathering information from various sources would be even more impactful when linked to other information gathered from various sources about terrorism. The more information disclosed over time will give a more detailed account of the tactical infrastructure of not only a force area but also the country as a whole.
Any incident that results from such a disclosure would, by default, affect National Security.
Section 31(3) – Law Enforcement
Factors favouring confirming or denying that information is held
Confirmation that information exists relevant to this request would lead to a better informed public which may encourage individuals to provide intelligence in order to reduce such security breaches.
Factors against confirming nor denying that information is held.
Confirmation or denial that information is held in this case would suggest PSNI take their responsibility to protect information and information systems from unauthorised access, destruction, etc., dismissively and inappropriately.
Balancing Test
The points above highlight the merits of confirming or denying the requested information exists, in terms of cyber related incidents. The PSNI is charged with enforcing the law, preventing and detecting crime and protecting the communities we serve. As part of that policing purpose, information is gathered which can be highly sensitive relating to high profile investigative activity. Weakening the mechanisms used to monitor any type of criminal activity, and specifically terrorist activity would place the security of the country at an increased level of danger.
In addition anything that places that confidence at risk, no matter how generic, would undermine any trust or confidence individuals have in the PSNI. Therefore, at this moment in time, it is our opinion that for these issues the balance test favours neither confirming nor denying that information is held