Cyber Incident Victim: Greater Manchester Police

A ransomware attack targeted Digital ID, a Stockport-based third-party supplier responsible for producing identity cards and lanyards for various UK organisations, including the Greater Manchester Police and the Metropolitan Police. The incident, which became public knowledge in late July or early August 2023, resulted in a significant data breach. The personal details of over 12,500 Greater Manchester Police officers and staff were compromised. The data accessed in the attack is believed to include information from officers' warrant cards, specifically their names, ranks, photographs, and serial numbers. Furthermore, some of the photographs contained embedded geo-location data, which reveals the precise location where a picture was taken or from where it was uploaded. This type of information presents a severe security risk, particularly for individuals working in law enforcement.

The breach was not isolated to the police forces; cybersecurity experts indicated that the personal details of tens of thousands of public sector workers from other organisations supplied by Digital ID could also have been breached. The firm provides services to several NHS trusts and universities, among other UK organisations. An expert assessment suggested that the firm's entire customer base was likely hacked, meaning any organisation that provided employee data to Digital ID for the purpose of printing identity cards was potentially affected. However, the company stated that the majority of its customers were not impacted because most clients purchase its printers and produce identity cards in-house, thereby not transferring large amounts of employee data to the third party. The breach primarily affected a smaller subset of customers, which included the Metropolitan Police and Greater Manchester Police, who outsourced the printing of their identity cards to Digital ID.

The National Crime Agency launched a criminal investigation into the breach, working alongside the National Cyber Security Centre and the Information Commissioner's Office. The collective effort aimed to fully understand the impact of the incident and support the organisations whose data was accessed. The incident raised immediate and serious security concerns due to the highly sensitive nature of police work. The two affected forces employ more than 60,000 officers and staff and operate the busiest counter-terrorism units in Britain. The stolen data is considered highly valuable to criminals, as it could be used to impersonate officers, steal identities, or disrupt ongoing investigations. The risk is particularly acute for an estimated number of GMP's 8,000 officers who work in undercover roles; the compromise of their personal details presents a direct threat to their safety and jeopardizes the covert inquiries they are conducting.

There was a delay in notifying the affected GMP staff. The force first informed its officers and staff about the incident almost three weeks after the breach had become public, raising questions about the timeliness of its internal communication. In an email to staff, GMP stated that investigators had established that data from the badges "may have been accessed." The communication assured employees that there was no indication at that stage that any personal information had been published online. Assistant Chief Constable Colin McFarlane stated that the data involved was not believed to include financial information. The force reported the incident to the Information Commissioner's Office and committed to keeping employees informed, answering their questions, and ensuring they felt supported, acknowledging the seriousness with which the attack was being treated.

The Police Federation, which represents rank-and-file officers, had previously alerted the Metropolitan Police to the potential dangers of outsourcing operationally sensitive material three years prior to this incident. The chair of the Greater Manchester Police Federation, Mike Peake, expressed that officers would rightly be concerned by the security breach. He emphasized that colleagues undertaking difficult and dangerous roles to catch criminals and keep the public safe would understandably experience concern and anxiety from having their personal details potentially leaked into the public domain. The federation worked with the force to mitigate the dangers and risks the breach could pose to their colleagues. Elizabeth Baxter, the head of cyber investigations at the Information Commissioner's Office, confirmed the incident had been reported to them and stated that the office would be looking into what happened and asking questions on behalf of anyone affected, noting that police officers and staff rightly expect their information to be kept secure.

This incident occurred shortly after another major data protection failure in UK policing, where the surnames and initials of 10,000 Police Service of Northern Ireland employees were accidentally published online in response to a freedom of information request. The consecutive nature of these events prompted further questions about data security protocols within UK police forces. The attack on Digital ID was characterized as a ransomware attack, meaning the attackers likely encrypted the company's systems and demanded a payment to restore access. A cybersecurity expert, Toby Lewis, noted that the personal details caught up in the attack could eventually be leaked online if the company chose not to pay the ransom. Digital ID confirmed it notified cybersecurity experts when it became aware of the incident the previous month. A source indicated that while most identity cards were inactive when they left the company's headquarters, cyber attackers were still able to access the data through its systems.