A third-party data breach has exposed the personal data of UK’s Greater Manchester Police (GMP) officers and staff. The breach affected a company that produces GMP’s staff ID cards.
However, the number of impacted individuals and the nature of the data breached remains undetermined. GMP has also withheld the identity of the Stockport, Manchester-based third-party supplier.
Operating in the Greater Manchester region in North West England, GMP employs about 8,000 police officers, over 3,000 staff members, and 560 support officers. It polices an area of about 2.7 million people.
GMP third-party data breach involved ransomware
Assistant Chief Constable Colin McFarlane of Greater Manchester Police disclosed that the security breach involved ransomware.
“We are aware of a ransomware attack affecting a third-party supplier of various UK organizations, including GMP, which holds some information on those employed by GMP. At this stage, it’s not believed this data includes financial information.”
However, the threat actor’s identity remains a secret, and no ransomware gang has taken responsibility. GMP has not disclosed if it has received any ransomware demands.
Meanwhile, a national investigation into the third-party data breach involving regulatory and law enforcement agencies has commenced.
“We understand how concerning this is for our employees so, as we work to understand any impact on GMP, we have contacted the Information Commissioners Office and are doing everything we can to ensure employees are kept informed, their questions are answered, and they feel supported. This is being treated extremely seriously, with a nationally-led criminal investigation into the attack,” added ACC Colin McFarlane.
Besides cyber attacks targeting the impacted individuals, the third-party data breach risks exposing undercover officers and agents working on special missions. Subsequently, the National Crime Agency (NCA) has stepped in to prevent this possibility.
“While it’s reassuring to learn that financial details and home addresses were not compromised, the exposure of names, ranks, and photographs from warrant badges can still have significant implications,” said Javvad Malik, Lead Security Awareness Advocate at KnowBe4. “Such information can be leveraged for identity theft, social engineering attacks, or even the targeting of specific police officers.”
Worrying trend of law enforcement data breaches
UK’s law enforcement agencies have reported numerous data breaches in the past 12 months, creating a worrying trend.
In August 2023, the Metropolitan Police Service (MPS) suffered a similar third-party data breach involving a warrant cards supplier, exposing the identities of approximately 47,000 police officers.
Rick Prior, the Metropolitan Police Federation Vice Chair, described the “staggering” MPS third-party data breach as infuriating.
An investigation determined that the MPS third-party data breach exposed the names, photographs, and ranks of police officers. The GMP and MPS data breaches likely originated from the same firm and disclosed similar information.
Similarly, the Police Service of Northern Ireland (PSNI) and Norfolk and Suffolk constabularies reported unfortunate data leaks in 2023. The latter exposed raw crime data, including incident descriptions and witnesses and suspects’ identities.
The recent string of law enforcement data breaches suggests that UK law enforcement agencies should review their cybersecurity policies, including when selecting third-party suppliers.
“The attack exposing Greater Manchester Police Officers’ personal details highlights the importance of holistically assessing an organization’s cybersecurity posture – no stone must be left unturned,” said Caleb Mills, Professional Services Director at Doherty Associates. “This is especially true because security controls, no matter how robust, can be rendered ineffective if there are vulnerabilities within the supply chain. Your security is only as strong as its weakest link.”