Cyber Incident Victim: Labour Party
Date:
Feb 2019
Location:
United Kingdom
Summary
The UK Labour Party experienced unauthorized attempts to access its membership databases and campaign management systems, prompting a lockdown of critical digital tools including volunteer management and communications platforms. Concerns centered on potential data exfiltration by former members, with personal information—classified as sensitive "special category" data due to revealing political affiliations—at risk of improper processing under data protection laws. The incident disrupted campaign operations and volunteer activities, drawing internal criticism while highlighting potential violations of GDPR requirements for data controller responsibilities, including safeguards against unlawful access. The party warned of potential regulatory action by the Information Commissioner's Office against those processing data without authorization.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late February 2019, the UK Labour Party restricted access to its membership databases and campaign management systems following suspicions of unauthorized data extraction. Party General Secretary Jennie Formby disclosed on February 20-21 that the organization had detected multiple attempts to access personal information by individuals lacking proper authorization. Internal communications indicated concern that departing Labour MPs—who had recently formed The Independent Group—might have improperly obtained member records for potential future political activities. The party implemented immediate security measures by disabling two critical operational tools: Organise (a volunteer management and communications platform) and Contact Creator (a campaign material production and monitoring system). This lockdown disrupted normal party operations, generating complaints from volunteers and sitting Labour MPs including Stella Creasy, who publicly expressed frustration over impaired constituency work due to the system restrictions.
The incident involved potential violations of the UK Data Protection Act 2018, specifically Section 170, which prohibits unauthorized acquisition or retention of personal data. Formby's communications emphasized that political affiliation data constitutes "special category" information under GDPR, warranting enhanced legal protections. The party warned perpetrators about potential investigations by the Information Commissioner's Office (ICO), referencing precedents like Bupa's £175,000 fine for similar data security failures. Labour's response focused on containment through access restrictions while acknowledging organizational responsibilities under GDPR Article 5(1)(f) to implement appropriate technical safeguards against unlawful processing. The security measures remained active during the initial disclosure period, with no public confirmation of whether data exfiltration actually occurred or whether the ICO initiated formal proceedings. Operational disruptions to campaign infrastructure represented the primary immediate consequence of the incident response.