The personal details of tens of thousands of public sector workers could have been breached in a cyber-attack that has hit two of Britain’s biggest police forces, an expert has said.
More than 12,500 Greater Manchester police (GMP) officers and staff were put on alert on Thursday that their private data had been compromised in a hack that also hit the Metropolitan police last month.
The details of officers’ warrant cards – including names, ranks, photos and serial numbers – are thought to have been taken in the ransomware attack on a third-party supplier used by both forces.
The National Crime Agency (NCA) said it had launched a criminal investigation into the breach at the Stockport-based firm, Digital ID, which makes identity cards and lanyards for a number of UK organisations including several NHS trusts and universities.
Toby Lewis, a former incident manager at the National Cyber Security Centre, said it was likely that details of staff in other organisations that the firm supplies would also have been compromised. The firm insisted the majority of its customers were not affected.
In a sign of the seriousness of the attack, the NCA said it was working alongside the National Crime Security Centre and the Information Commissioner’s Office “to fully understand the impact of the incident and support those organisations whose data has been accessed”.
Lewis, now head of threat analysis at the cybersecurity firm Darktrace, said it likely that the firm’s entire customer base would have been hacked.
He said: “If you’ve got a pass that’s been made by Digital ID then there is absolutely is the chance that your personal details that were used to generate that pass [have] been caught up in this ransomware attack and could eventually be leaked online if the company chooses not to pay the ransom.”
Asked if this could run into tens of thousands of people, Lewis stressed he did not know the size of the company’s database, but he added: “Given their clients, you could be talking those kind of numbers.”
Digital ID said it notified cyber experts last month when it became aware of the incident. The company says most of its clients buy its printers and then produce identity cards at their own offices, meaning they are not transferring huge amounts of employee data to a third party. The BBC is understood to be one such client.
However, a small number of other customers – understood to include the Metropolitan police and GMP – provide employee data to Digital ID so the firm can print the cards for them.
A source said most of these identity cards were inactive when they left Digital ID’s headquarters. However, it appears that cyber-attackers have been able to access this data through its systems.
The breach will prompt serious security concerns given the highly sensitive nature of police work at the two forces, which together employ more than 60,000 officers and staff and have the busiest counter-terrorism units in Britain.
It will raise further questions about data protection in UK policing, coming just weeks after the surnames and initials of 10,000 Police Service of Northern Ireland employees were published online after being accidentally included in a response to a freedom of information request.
The Police Federation has said it alerted the Metropolitan police to the potential dangers of outsourcing operationally sensitive material three years ago.
Mike Peake, the chair of the Greater Manchester Police Federation, said officers would rightly be concerned by the latest security breach. He said: “Our colleagues are undertaking some of the most difficult and dangerous roles imaginable to catch criminals and keep the public safe. To have any personal details potentially leaked out into the public domain in this manner – for all to possibly see – will understandably cause many officers concern and anxiety. We are working with the force to mitigate the dangers and risks that this breach could have on our colleagues.”
GMP is facing questions about why it first told staff about the incident on Wednesday, almost three weeks after the breach became public.
In an email to staff, the force said investigators had established that data from the badges including names, ranks, photos and serial numbers “may have been accessed”.
It said some of these photos contained “geo-location data” – information that discloses where precisely the picture was taken or from where it was uploaded – and that these people were being contacted.
There was no indication at this stage that any personal information had been published online, according to the email, which was shared with the Manchester Evening News.
Any identifiable police data would be highly valuable to criminals as it could be used to steal impersonate officers, steal their identities or disrupt investigations.
A number of GMP’s 8,000 officers work in undercover roles, meaning their personal details being stolen presents a significant risk to their safety and the covert inquiries on which they work.
Colin McFarlane, an assistant chief constable of Greater Manchester police, said: “We are aware of a ransomware attack affecting a third-party supplier of various UK organisations, including GMP, which holds some information on those employed by GMP. At this stage, it’s not believed this data includes financial information.
“We understand how concerning this is for our employees so, as we work to understand any impact on GMP, we have contacted the Information Commissioner’s Office and are doing everything we can to ensure employees are kept informed, their questions are answered and they feel supported. This is being treated extremely seriously, with a nationally led criminal investigation into the attack.”
Elizabeth Baxter, the head of cyber investigations at the Information Commissioner’s Office, said: “Police officers and staff expect their information to be kept secure, and are right to be concerned when that doesn’t happen. This incident has been reported to us, and we’ll now be looking into what happened, and asking questions on behalf of anyone affected.”