The data of thousands of Greater Manchester Police (GMP) officers has been stolen after the force fell victim to the same third-party ransomware attack that hit the Metropolitan Police last month.
Information including officers' names, photos and police identity numbers were stolen in the attack, as well as other data taken from the force’s third-party supplier of ID warrant cards, Digital ID.
GMP said that no home addresses or financial information had been stolen and that the UK’s National Crime Agency would be leading the investigation into the hack.
“We are aware of a ransomware attack affecting a third-party supplier of various UK organisations, including GMP, which holds some information on those employed by GMP,” Assistant Chief Constable Colin McFarlane confirmed in a statement.
"We understand how concerning this is for our employees so, as we work to understand any impact on GMP, we have contacted the Information Commissioners Office (ICO) and are doing everything we can to ensure employees are kept informed, their questions are answered, and they feel supported."
Cyber attacks on British police ramp up
The attack comes less than a month after a similar attack on the metropolitan police, which saw hackers compromise the IT systems of one of the force’s suppliers and steal data including names, ranks, photos and pay numbers for over 47,000 police officers and staff.
It also follows another third-party hack on the Police Service of Northern Ireland (PSNI) earlier in August, which exposed ID information, ranks and the location data of 10,000 police officers.
Some of this data was later leaked online, exposing the identities of undercover officers and putting the safety of police staff at risk.
"Another day, another data breach for the British police force,” said Brad Freeman, Director of Technology at SenseOn.
“Whilst the financial details and home addresses of the police officers are believed to have not been retrieved in the incident, it is concerning that the data from the warrant badges is currently in the possession of the cybercriminals. This could enable the adversaries to carry out further attacks such as account takeover or BEC attacks."
Erfan Shadabi, Cybersecurity Expert at Comforte, agreed that the stolen information should bring no comfort to GMP – even without financial information being stolen.
“The exposure of names, ranks, and photographs from warrant badges can still have significant implications. Such information can be leveraged for identity theft, social engineering attacks, or even the targeting of specific police officers,” Shadabi said.
“It is essential for law enforcement agencies to conduct rigorous security assessments of their third-party suppliers and ensure they meet stringent cybersecurity standards.
“Additionally, implementing robust monitoring, detection, and response mechanisms can help organisations identify and respond quickly to potential breaches.”
More breaches to come
Both the attacks on GMP and the Metropolitan police are reportedly linked to a single IT security incident involving the Stockport-based firm Digital ID, which makes ID cards and access pass makers for multiple police departments around the UK.
The company confirmed in a statement in the press that it had been affected by a security incident earlier this month but has yet to provide any further details about the breach.
However, The Sun reported that Digital ID’s managing director was contacted by hackers – apparently located overseas – who demanded a ransom from the company.
Given the firm’s extensive business reach across the UK, the extent of the incident may not be known, and other UK police departments and companies using the supplier may soon announce similar data breaches.
A comparable incident affecting the third-party file-transfer software MOVEit saw organisations around the world impacted, with many not announcing breaches until weeks after the initial incident took place.
"There is an inherent risk involved anytime a company outsources and entrusts sensitive information with third-party providers,” said Anne Cutler, Cybersecurity Evangelist, Keeper Security.
When the organization does not own and operate the infrastructure that holds these resources, it not only lacks control, but it has reduced visibility in the event of an emergency such as a data breach like this.
“This particular data leak serves as yet another reminder of why everyone must make cybersecurity a priority. In cases where personal information is stolen, the impacts of a data breach are felt long after it’s been discovered and contained, Cutler added.
As the world becomes increasingly interconnected and complex, so too does the risk landscape. That’s why it’s more important than ever for business leaders and department heads to stay up-to-date on the latest trends and best practices.
Taking place on October 18-19, 2023 at ExCel London, #Risk London is the premier event for risk professionals in the UK. With over 100 exhibitors, keynote presentations from over 200 experts and thought leaders, panel discussion