Greater Manchester Police officers' details hacked in cyber attack

The company, which makes warrant cards, holds information on various UK organisations including some of the staff employed by GMP.

The force has confirmed it is aware of the ransomware attack.

ACC Colin McFarlane said: “We are aware of a ransomware attack affecting a third-party supplier of various UK organisations, including GMP, which holds some information on those employed by GMP.At this stage, it’s not believed this data includes financial information.

“We understand how concerning this is for our employees so, as we work to understand any impact on GMP, we have contacted the Information Commissioners Office and are doing everything we can to ensure employees are kept informed, their questions are answered, and they feel supported.

“This is being treated extremely seriously, with a nationally-led criminal investigation into the attack.”

The attack comes just over a month after a major data breach within the Police Service of Northern Ireland (PSNI).

Surnames and initials of 10,000 police employees were accidentally included in a response to a Freedom of Information request.

The details were then published online before being removed.

Mike Peake, chair of Greater Manchester Police Federation, said: “Our colleagues are undertaking some of the most difficult and dangerous roles imaginable to catch criminals and keep the public safe.

“To have any personal details potentially leaked out into the public domain in this manner – for all to possibly see – will understandably cause many officers concern and anxiety. We are working with the force to mitigate the dangers and risks that this breach could have on our colleagues.”

Elizabeth Baxter, head of Cyber Investigations at the Information Commissioner’s Office (ICO), said: “Police officers and staff expect their information to be kept secure, and are right to be concerned when that doesn’t happen. This incident has been reported to us, and we’ll now be looking into what happened, and asking questions on behalf of anyone affected.

“Organisations must look after employee information, particularly in sectors where the impact of a data breach could be greater. The ICO works to support organisations to get this right so people can feel confident that their information is secure.”

Hüseyin Can Yuceel, a security researcher at Picus Security, a company specialising in simulating the attacks of ransomware gangs said: “We have seen a string of high-profile cyber incidents involving police officer data in recent weeks, including the Metropolitan Police and the PSNI. You don’t need to be a detective to see a pattern.

“Cybercriminals actively target organisations that provide public services. Police forces, despite playing a critical role in law enforcement, are seemingly no exception. The data of UK police officer data has the potential to be highly lucrative and if these details are sold on the dark web, I suspect there will be plenty of bidders.

“A man was recently arrested in connection to the PSNI data breach on suspicion that the stolen data could be useful to terrorists. This underscores the potential seriousness of the GMP data breach and why the NCA, ICO and GMP have immediately launched a national criminal investigation.”

“Attacks like this serve as a reminder to all organisations to ensure that they closely work with partners in the supply chain to identify and validate potential cybersecurity risks.”

Dominic Trott, director of Strategy and Alliances at Orange Cyberdefense, Europe’s largest MSSP, added: “This is another example of why organisations must ensure that supply chain risk management is a top priority. There have been a number of well-publicised incidents in recent years – attacks on smaller companies which have had a huge knock-on impact on multiple other organisations. Incidents such as the SolarWinds and Kaseya compromises revealed how vulnerable we are to attacks via the supply chain, as well as illustrating just how interdependent computer systems and the businesses that use them are with one-another.

“The message is clear – no matter how secure businesses’ systems are, they are always at risk via third-party suppliers. Senior leaders need to have a clear understanding of what security controls, personnel, and processes a third party has in place, which is typically handled through something as straightforward as a questionnaire. However, this is both a ‘point in time’ approach and difficult to measure. We expect a more standards-based approach, at least as agreed within an individual supply chain, to emerge as a more resilient method.”

Tom Kidwell, ex-Army and government intelligence professional, and co-founder of cybersecurity firm Ecliptic Dynamics, said: “The news today that Greater Manchester Police has fallen victim to a potential data breach through a third-party supplier isn’t surprising. It follows a long string of data leaks, breaches and attacks on police forces in the UK.

“In the last month both the PSNI and Metropolitan Police has had highly sensitive data leaked, the second of which was caused by a third-party IT supplier. This is a recurring theme within both the public and the private sector, and must be extremely frustrating for police forces, who take data security and privacy extremely seriously.

“When thinking about cybersecurity, most organisations tend to focus on their own security, and hope that their suppliers and other organisations operating alongside them, are doing their jobs effectively.

“Unfortunately for the Greater Manchester Police, this seems not to have been the case. The reality is that law enforcement agencies and other public sector bodies are becoming an increasingly common target for attacks, not just because they often hold highly sensitive, and lucrative information, but also to cause disruption and chaos within the UK.

“The report yesterday from the Parliament’s Public Accounts Committee, which revealed that the British civil service has fewer than half of the data and technology professionals it needs, couldn’t have come at a more timely moment.

“It highlights again the need for having a robust understanding of your supply chain and ensuring they are accountable, particularly in areas which could leave you vulnerable. Managed service providers often have elevated levels of access to your systems and data, often more than your own staff. The assumption is they are taking as much diligence and care of your digital infrastructure as you are.”