A ransomware attack on a third-party supplier to Greater Manchester Police (GMP) has exposed personal data of more UK police officers.
The attackers reportedly targeted a company in Stockport, near Manchester, UK, which makes ID cards for various organizations, including GMP. It therefore holds personal details of staff working at GMP, which recently celebrated employing over 8000 police officers for the first time.
There are now major concerns that police officers’ names, including those working undercover or in sensitive areas like surveillance and intelligence, could become publicly available.
ACC Colin McFarlane of Greater Manchester Police said the incident is being treated “extremely seriously,” with a nationally-led criminal investigation being undertaken.
“We understand how concerning this is for our employees so, as we work to understand any impact on GMP, we have contacted the Information Commissioners Office and are doing everything we can to ensure employees are kept informed, their questions are answered, and they feel supported,” commented McFarlane.
It is not believed at this stage that any financial data was accessed by the attackers.
UK Policing Suffers Multiple Data Breaches
The incident comes shortly after an accidental leak of the personal details of police officers and civilian personnel working at the Police Service of Northern Ireland (PSNI) following a Freedom of Information (FoI) request in August. This information included the surnames and initials of current employees in the service, their rank or grade, and the location and department they work in.
Experts note that the exposure of police officers’ identities could have serious ramifications, with these individuals potential targets for terrorist and other criminal groups.
Commenting on the story, Jake Moore, Global Security Advisor at ESET, and former Cybersecurity Advisor to Dorset Police, said the consequences of the breach on police officers and staff could be “harrowing”.
He added that the attack demonstrates that critical public sector organizations like the police must carefully vet the security of all third-party suppliers as well as focusing on their own internal measures.
“Many businesses in the police’s supply chain will handle extremely sensitive data but it is imperative that they are checked not only in terms of vetting but in terms of security protocols as well. When dealing with this level of sensitive information that could cause huge knock-on effects it is vital that they are protected to the highest possible standard,” said Moore.
In another recent case of a UK police data breach, information of over 1000 individuals, including crime victims, were accidentally exposed by Norfolk and Suffolk police.