‘Cyber incident’ for the UK’s Labour Party sees ‘significant quantity’ of membership data, held by unidentified third party, being compromised
The UK’s Labour Party is at the centre of a cyber incident after a third party that handled membership data on its behalf reported a ‘cyber incident.’
In its statement on the matter, the Labour Party revealed that on 29 October 2021, it was informed of the cyber incident by the third party.
“The third party told us that the incident had resulted in a significant quantity of Party data being rendered inaccessible on their systems,” Labour said.
There is no confirmation at this stage about how much membership data has been compromised, but the words ‘significant quantity’ does not bode well.
Some media outlets are reporting it was a ransomware attack on the unnamed third party.
“We wish to inform you that a third party that handles data on our behalf has been subject to a cyber incident,” said Labour. “While the Party’s investigation remains ongoing, we wanted to make you aware of this incident and the measures which we have taken in response.”
It said that the incident was immediately reported to the relevant authorities, including the National Crime Agency (NCA), National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO).
“The Party continues to work closely with each of these authorities,” it stated. “The Party is also working closely and on an urgent basis with the third party in order to understand the full nature, circumstances and impact of the incident. The Party’s own data systems were unaffected by this incident.”
Labour is not clear about what type of personal data has been compromised at this stage, but it said it understood “that the data includes information provided to the Party by its members, registered and affiliated supporters, and other individuals who have provided their information to the Party.”
At the time of writing, there is no word on who the third party is.
This is not the first time there have been data incidents at the Labour Party.
In 2010 the Labour Party was hit with an enforcement notice by the Information Commissioner’s Office (ICO) for making repeated unsolicited marketing calls to around half a million people.
This was despite the Labour Party agreeing to halt the practice back in 2007.
Then in November 2019 the Labour Party said its digital platforms had been subjected to a “sophisticated and large-scale cyberattack”, just weeks before the general election, amid ongoing reports of state-sponsored attacks.
One security expert picked up on the report that the incident was a ransomware attack, which would suggest it is financially, and not politically motivated.
The threat of leaking personal data of members on the dark web therefore presents a real headache for Labour’s leadership.
“It is quite normal for the NCSC to get involved in large scale attacks particularly when the loss of data is potentially very damaging,” explained Jake Moore, former Head of Digital Forensics at Dorset Police and now cybersecurity specialist at cybersecurity firm ESET.
“Even though financially motivated, the key pivot point to receive the money will be via dangling any sensitive data on the dark web and among interested parties,” said Moore. “This will likely increase the chances of the demands being paid.”
“As more and more ransomware attacks now anchor on the data leaking, this could be a challenging time for those in control of the Labour party,” said Moore. “The victims caught up in the compromise must now place more attention to any follow up suspicious emails and phone calls should their details have already been leaked to the next level of malicious actors.”
Another expert noted that this latest compromise of a third party does not excuse Labour the ultimate responsibility and blame for the matter.
“This latest data breach disclosed by Labour highlights the importance on third party and supply chain security controls, you must ensure that third parties meet your security requirements and don’t just assume,” noted Joseph Carson, chief security scientist at ThycoticCentrify.
“Even though this was blamed on a third party, Labour is still responsible and accountable,” said Carson.
“Labour has recommended to use Multi-Factor Authentication where possible thought it’s also advisable to do even more and get a password manager that makes all your passwords unique and complex.”