Ransomware attack on third-party supplier has compromised data of staff employed by Greater Manchester Police (GMP)
Greater Manchester Police (GMP) has confirmed that data belonging to some of its staff and police officers have been compromised in a data breach.
The data breach occurred when a third-party supplier to GMT and other organisations suffered a ransomware attack. GMP said “at this stage, it’s not believed this data includes financial information.”
A number of police forces in the UK have recently suffered data breaches, mostly self-inflicted, such as the devastating exposure of police officer data by the Police Service of Northern Island (PSNI), as well as Norfolk and Suffolk police.
GMT supplier attack
Those breaches were a result of an accidental release of data within a Freedom of Information (FoI) request.
However last month data belonging to the Metropolitan Police was compromised after a contractor was hacked, which exposed the names, ranks, photos, vetting levels and pay numbers for 47,000 Met police officers and staff.
Then last week data belonging to the UK’s Ministry of Defence (MoD) was compromised by a sophisticated cyber-attack British high-security fencing supplier, Zaun Ltd.
Now Greater Manchester Police (GMP) has confirmed that one of its suppliers has been hacked, resulting in a compromise of its staff data, potentially exposing in public forums the names of thousands of police officers’ names.
The GMT supplier attack could potentially be (although not confirmed at this stage) the same compromise of the ID making firm that resulted in the Met police data breach last month.
“We are aware of a ransomware attack affecting a third-party supplier of various UK organisations, including GMP, which holds some information on those employed by GMP,” said chief constable Colin McFarlane of Greater Manchester Police (GMP) in a statement issued by the force.
“At this stage, it’s not believed this data includes financial information,” said McFarlane. “We understand how concerning this is for our employees so, as we work to understand any impact on GMP, we have contacted the Information Commissioners Office and are doing everything we can to ensure employees are kept informed, their questions are answered, and they feel supported.”
“This is being treated extremely seriously, with a nationally-led criminal investigation into the attack,” said the chief constable.
Jake Moore, global security advisor at ESET warned that certain suppliers holding sensitive public sector data could soon be required to dramatically ramp up their security policies.
“Once again, we find another data leak with harrowing consequences affecting police officers and staff,” said Moore. “Cybercriminals will attack all links in the chain for a weak link and if this involves a small company used to make ID cards then this firm will require the same security as the force in question.”
“Many businesses in the police’s supply chain will handle extremely sensitive data but it is imperative that they are checked not only in terms of vetting but in terms of security protocols as well,” said Moore.
“When dealing with this level of sensitive information that could cause huge knock-on effects it is vital that they are protected to the highest possible standard,” Moore concluded.
Anne Cutler, cybersecurity evangelist at Keeper Security, agreed that there is an inherent risk involved anytime a company outsources and entrusts sensitive information with third-party providers.
“When the organisation does not own and operate the infrastructure that holds these resources, it not only lacks control, but it has reduced visibility in the event of an emergency such as a data breach like this,” said Cutler.
“When choosing products and services, organisations are putting their trust in another organisation to handle their employees’ data with the utmost security,” said Cutler. “When that third-party organisation fails to do this, it understandably breaks that trust.”
“This particular data leak serves as yet another reminder of why everyone must make cybersecurity a priority,” said Cutler. “In cases where personal information is stolen, the impacts of a data breach are felt long after it’s been discovered and contained. Those impacted in this breach should take proactive steps to protect themselves from cybercriminals who may aim to use their personal information for identity theft and targeted attacks.”
Warrant card data
Meanwhile Javvad Malik, lead security awareness advocate at KnowBe4, noted the Greater Manchester Police officers’ warrant card detail compromise is further evidence of the persistent cybersecurity challenges faced by law enforcement agencies.
“This breach follows a similar attack on the Metropolitan Police, highlighting the potential vulnerabilities of third-party suppliers in the supply chain,” said Malik.
“While it’s reassuring to learn that financial details and home addresses were not compromised, the exposure of names, ranks, and photographs from warrant badges can still have significant implications,” said Malik. “Such information can be leveraged for identity theft, social engineering attacks, or even the targeting of specific police officers.”
“It’s essential for law enforcement agencies to conduct rigorous security assessments of their third-party suppliers and ensure they meet stringent cybersecurity standards,” said Malik. “Additionally, implementing robust monitoring, detection, and response mechanisms can help organisations identify and respond quickly to potential breaches.”
Matt Cooke, cybersecurity strategist at Proofpoint also noted that this is not the first incident involving the UK public sector of late.
“While the exact details of this breach are yet to be confirmed, this should serve as a stark reminder to organisations in all sectors that no matter how robust your technical controls are, human error is the root cause of many large cyber security incidents,” said Cooke.
“It’s no surprise that recent research has shown that 78 percent of UK IT security leaders see human error as their organisation’s biggest cybersecurity vulnerability and that the WEF reports that 95 percent of cyberthreats are due to human error,” said Cooke.
“And while public institutions spend significant time and resources detecting and mitigating external threats, they must also consider the cybersecurity awareness among their workforce, especially those who have access to such sensitive data,” said Cooke.
Met police breach
Mark Stockley, senior threat researcher at Malwarebytes noted that it seems likely that GMP have been caught up in the same attack as the one that affected the Metropolitan police.
“It reported that officers’ data was exposed when a Stockport-based supplier of ID cards had been attacked by ransomware,” said Stockley. “That appears to be the same as happened to the GMP. This emphasis how an organisation’s security is inexorably linked to the security of every vendor and supplier in its supply chain.”
“It also shows that ransomware is not a computer problem, and we need to stop thinking about it in that way,” said Stockley. Ransomware attacks work because of the effect they have on organisations and people.”
“They cause disruption, pain and suffering and often lead to organisations ceasing to function,” said Stockley. “The increasing number of attacks on the UK’s critical infrastructure are putting people at risk, and could have effects far beyond the intended target.”