Image: Karl Callwood (unsplash)
The Greater Manchester Police (GMP) of the United Kingdom disclosed that a ransomware assault targeting one of its third-party vendors led to the exposure of some of its staff’s personal details.
The affected service provider, which remained unnamed in today’s official statement, offers services not only to GMP but also to numerous other establishments throughout the UK.
GMP officials expressed confidence that the breached data doesn’t encompass any financial records of the police force’s members. The statement mentioned awareness of the ransomware incident impacting a third-party provider that holds certain data about GMP employees. However, it was stressed that there’s currently no indication this information encompasses financial details.
Details about other potentially exposed data types weren’t provided. In response to this development, GMP conveyed its understanding of the potential concerns and apprehensions of its personnel. Accordingly, measures have been taken to notify the Information Commissioners Office while making every possible effort to keep the employees informed, address their queries, and extend the needed support.
Further, it was highlighted that the GMP is according the issue the gravest attention, considering it a matter of national-level criminal probe significance.
Recurring Vulnerabilities Across the UK This incident involving GMP is reminiscent of another breach that occurred about a month prior, targeting the Police Service of Northern Ireland (PSNI). That attack disclosed the personal data, official ranks, and locations of approximately 10,000 law enforcement officers. Certain portions of this acquired data later surfaced online, jeopardizing undercover agents and potentially endangering other staff due to the inherent risks of their profession.
Later in August, the Metropolitan Police (Met) faced a similar dilemma when malefactors infiltrated the IT framework of one of its vendors. This intrusion resulted in the inadvertent release of details like names, designations, photographs, clearance levels, and payroll IDs of almost 47,000 police personnel.
In the early days of September 2023, reports surfaced, notably from The Sun, identifying the compromised third-party as ‘Digital ID,’ a Stockport-based manufacturer specializing in ID cards and access passes. The enterprise later acknowledged the occurrence of an IT-related security episode in an official press release but refrained from disclosing additional information.
Though unverified, there are growing suspicions that the recent GMP episode might be intertwined with the Digital ID breach. Given Digital ID’s expansive clientele, it won’t be surprising if other police entities across the UK soon unveil parallel data exposure incidents.