Greater Manchester Police Investigating Third-Party Data Breach Following Ransomware Attack
A significant third-party data breach has exposed the personal information of officers and staff at the Greater Manchester Police (GMP) in the United Kingdom. The breach, which is currently under investigation, underscores the growing risk of third-party vulnerabilities in today's digital landscape.
The breach affected a company responsible for producing staff identification cards for the GMP, based in Stockport, Manchester. However, precise details about the extent of the breach, including the number of individuals affected and the nature of the exposed data, remain undisclosed.
The Greater Manchester Police is a sizable force, employing approximately 8,000 police officers, over 3,000 staff members, and 560 support officers. It serves a population of around 2.7 million people in the Greater Manchester region of North West England.
Assistant Chief Constable Colin McFarlane of the Greater Manchester Police confirmed that the breach resulted from a ransomware attack. However, he also mentioned that there is no indication that financial data was compromised. The identity of the threat actor responsible for the attack remains unknown, and no ransomware group has claimed responsibility thus far. GMP has not disclosed whether any ransom demands were made.
In response to the breach, a national investigation involving regulatory and law enforcement agencies has been initiated to determine the full scope and impact of the incident.
ACC Colin McFarlane expressed understanding of the concerns among GMP employees and emphasized the seriousness of the situation. He stated, "This is being treated extremely seriously, with a nationally-led criminal investigation into the attack."
Beyond the potential cyber threats that affected individuals may face, there is a concern that the breach could expose undercover officers and agents engaged in special missions. To mitigate this risk, the National Crime Agency (NCA) has become involved in the investigation.
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, highlighted the implications of the breach, stating, "Such information can be leveraged for identity theft, social engineering attacks, or even the targeting of specific police officers."
This incident reflects a troubling trend of data breaches affecting law enforcement agencies in the UK over the past year. In August 2023, the Metropolitan Police Service (MPS) experienced a similar third-party data breach involving a supplier responsible for warrant cards, affecting approximately 47,000 police officers.
Rick Prior, Vice Chair of the Metropolitan Police Federation, described the MPS breach as "staggering" and infuriating. Investigations indicated that both the MPS and GMP data breaches likely originated from the same supplier, exposing comparable information.
Furthermore, the Police Service of Northern Ireland (PSNI) and constabularies in Norfolk and Suffolk reported data leaks in 2023. These breaches exposed sensitive crime data, including incident descriptions, as well as the identities of witnesses and suspects.
The recent spate of data breaches within law enforcement agencies highlights the need for a thorough review of cybersecurity policies, particularly in the context of third-party supplier selection, to enhance data protection and safeguard critical information.
As investigations into these incidents continue, it is clear that cybersecurity remains a pressing concern for organizations across various sectors, with an emphasis on the critical role of third-party risk management in today's digital age.