Cyber Incident Victim: Dacoll
Date:
Oct 2021
Location:
United Kingdom
Summary
The Clop ransomware gang breached an IT firm, Dacoll, compromising confidential data managed for UK police, including the Police National Computer holding records of 13 million individuals. Stolen information encompassed motorist images from the national license plate recognition system, driver footage, and close-up facial images of traffic offenders. The company confirmed the incident impacted an internal network unconnected to client systems, refused ransom demands, and did not disclose full breach details. A subsidiary providing critical remote access services to most UK police forces was implicated. National cybersecurity authorities supported law enforcement investigations into the leak of sensitive police data on dark web platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Clop ransomware gang breached IT firm Dacoll on October 5, 2021, through a phishing attack, gaining access to confidential data managed by the company. This included information from the Police National Computer (PNC), which holds personal records of approximately 13 million individuals. Stolen files comprised motorists' images extracted from the UK’s national Automatic Number Plate Recognition (ANPR) system, along with driver footage and close-up facial images of individuals who committed traffic offenses. Dacoll confirmed the cyber incident on the same day, stating operations were quickly restored and emphasizing the breach was confined to an internal network not connected to client systems. Clop subsequently leaked portions of the stolen data on its dark web site, threatening further releases unless a ransom was paid. Dacoll refused to disclose the ransom amount or comply with the demand. The company did not publicly specify the full scope of the breach or identify all compromised data types beyond the ANPR-related materials. The Daily Mail reported the leak on December 19, 2021, noting the gang’s exploitation of Dacoll’s systems to access PNC-linked information.
The incident raised concerns due to Dacoll subsidiary NDI Technologies’ role in providing remote PNC access services to approximately 90% of UK police forces. This connection underscored potential systemic risks, though Dacoll maintained client networks remained isolated. The National Cyber Security Centre (NCSC) acknowledged the breach and collaborated with law enforcement to assess impacts. Clop, active since February 2019, employed its characteristic double-extortion tactic—exfiltrating data before encryption and threatening leaks to pressure victims. The group had previously targeted universities and enterprises globally. In November 2021, six alleged Clop affiliates were arrested in Operation Cyclone, an Interpol-led initiative, though this occurred after the Dacoll attack. UK authorities continued investigating the breach’s ramifications, particularly regarding the exposure of sensitive law enforcement data. Dacoll did not release additional details about remediation steps or forensic findings beyond its initial statement.