The personal data of hundreds of officers working for Greater Manchester Police has been exposed as the result of a ransomware attack against a third-party ID card supplier. According to a statement issued by the police department earlier today, the data included officers’ names, addresses and photographs. The breach is the fifth successful cyberattack on UK law enforcement agencies within the last two months.
Police officers and staff were informed of the hack yesterday. “At this stage, it’s not believed this data includes financial information,” said Assistant Chief Constable Colin McFarlane, in a statement. “We have contacted the Information Commissioner’s Office and are doing everything we can to ensure employees are kept informed, their questions are answered, and they feel supported. This is being treated extremely seriously, with a nationally-led criminal investigation into the attack.”
Another officer told BBC News anonymously that while the names of many officers were publicly available, there was particular concern regarding the identities of undercover officers.
The name of the third-party supplier and the specific number of those affected remain unknown.
Greater Manchester Police not alone in suffering data breach
This attack is the fifth data leak to hit a UK police force in under two months. In August, London’s Metropolitan Police Service suffered a similar breach, when hackers managed to break into the IT systems of another third-party supplier. The company had access to names, ranks, photos, vetting levels and pay numbers for officers and staff, said the force, but did not hold personal information such as addresses, phone numbers or financial details.
“To have their personal details potentially leaked out into the public domain in this manner, for all to possibly see, will cause colleagues incredible concern and anger,” said the vice-chair of the Metropolitan Police Federation, Rick Prior, at the time. “We share that sense of fury… this is a staggering security breach that should never have happened.”
This attack directly followed a data leak from Norfolk and Suffolk’s police forces, which saw the confidential data of over 1,000 citizens who had been victims of crime accidentally attached to an answer to a Freedom of Information (FOI) request. The leaked data was stored on a system used by the two police forces. In a joint statement issued at the time, they said that they had yet to find any evidence that the information had been accessed by third parties.
Earlier in August, information on a “substantial number” of the Police Service of Northern Ireland’s 10,000 staff was made public online in error as part of an FOI request. It was taken down hours later, but many staff reportedly feared that their identities being made public could have seen them become the target for paramilitary groups.