Manchester police data breach a classic supply chain incident

The developing data breach at Greater Manchester Police follows a cyber attack on the systems of a key supplier of ID services to the force

Alex Scroxton,
Security Editor

Published: 15 Sep 2023 11:00

A ransomware attack on Digital ID, a Stockport-based supplier of identity and access cards, is developing into a serious supply chain incident after data breaches affecting Greater Manchester Police (GMP) and London’s Metropolitan Police forces came to light.

The breach at the Met came to light in August, but GMP only revealed its data had been compromised yesterday (14 September), with more than 12,500 officers and staff warned that their personal information may have been affected. The data itself is understood to include details of serving officers’ warrant cards, which includes names, ranks, photos and serial numbers.

GMP assistant chief constable Colin McFarlane said: “We are aware of a ransomware attack affecting a third-party supplier of various UK organisations, including GMP, which holds some information on those employed by GMP. At this stage, it’s not believed this data includes financial information.

“We understand how concerning this is for our employees so, as we work to understand any impact on GMP, we have contacted the Information Commissioners Office [ICO] and are doing everything we can to ensure employees are kept informed, their questions are answered and they feel supported. This is being treated extremely seriously, with a nationally led criminal investigation into the attack.”

Computer Weekly understands that, in general, Digital ID supplies its customers with the wherewithal to make their own identity cards, but for a small subset of customers including GMP, it offers this as a service, which naturally requires them to supply it with data.

Questions of responsibility in supply chain incidents

Coming in the wake of multiple other data security incidents affecting the UK public sector, resulting both from cyber attacks and insider error, Tom Kidwell, a former army and intelligence professional and co-founder of security consultancy Ecliptic Dynamics, said that the force could have done more to secure its information.

“When thinking about cyber security, most organisations tend to focus on their own security, and hope that their suppliers and other organisations operating alongside them, are doing their jobs effectively. Unfortunately for the Greater Manchester Police, this seems not to have been the case,” he said.

“The reality is that law enforcement agencies and other public sector bodies are becoming an increasingly common target for attacks, not just because they often hold highly sensitive, and lucrative information, but also to cause disruption and chaos within the UK.

“It highlights again the need for having a robust understanding of your supply chain and ensuring they are accountable, particularly in areas which could leave you vulnerable. Managed service providers often have elevated levels of access to your systems and data, often more than your own staff. The assumption is they are taking as much diligence and care of your digital infrastructure as you are,” said Kidwell.

While GMP cannot be blamed for the initial cyber attack on its supplier, Rob Sheldon, a partner at data breach specialist law firm Fieldfisher, voiced similar sentiments.

“We don’t know the precise details here, but when an organisation in the UK/EU engages a supplier to provide a service and provides information about people to perform that service it is legally required to carry out due diligence checks on the supplier and to enter into a contract with the supplier.,” said Sheldon.

“The contract must meet certain minimum requirements including an obligation on the supplier to implement and maintain appropriate security measures and to notify the customer if its data is affected by a data breach.

Sheldon added: “Increasingly, customers look for contractual protection from suppliers against data protection breaches, including for breach of contract/law, including an obligation to pay the customer if a data-breach happens where the customer suffers damage as a result of the breach.

“Often, customers will look for protection against claims from individuals affected by the data-breach, the costs incurred in managing the breach and regulatory fines arising from the breach.”

Read more on Data breach incident management and recovery

Security Think Tank: Balanced approach can detangle supply chain complexity