Cyber Incident Victim: Digital ID

On or around July 1, 2023, a significant ransomware attack was launched against Digital ID, a Stockport-based third-party supplier specializing in the production of identity cards and lanyards for various UK organizations. The breach compromised the personal data of a substantial number of employees from several major clients, most notably the Greater Manchester Police (GMP) and the Metropolitan Police. The attack was first publicly disclosed in relation to the Metropolitan Police in late July, with GMP informing its staff of their involvement almost three weeks later, on August 2, 2023. The National Crime Agency (NCA) launched a full criminal investigation into the incident, working in coordination with the National Cyber Security Centre and the Information Commissioner’s Office to fully understand the impact and support the affected organizations.

The compromised data is highly sensitive, pertaining specifically to police warrant cards and identity badges. The information accessed by the cyber-attackers includes the names, ranks, photographs, and serial numbers of thousands of officers and staff. A particularly concerning aspect of the data breach involves the photographs, some of which were found to contain embedded geo-location data. This metadata could potentially disclose the precise location where a photograph was taken or from where it was uploaded, posing a direct and severe threat to the safety and security of the individuals involved. At the time of the reports, there was no indication that any of the stolen personal information had been published online.

Digital ID operates using two primary business models, which dictated the scope of the impact. The majority of its clients, which include organizations like the BBC, purchase printers and then produce identity cards internally within their own offices. For these clients, the transfer of large amounts of employee data to Digital ID is minimal, and they were therefore largely unaffected by the breach. However, a smaller subset of clients, which included the two major police forces, provided their employee data directly to Digital ID so that the firm could handle the printing and production of the identity cards on their behalf. It was through these systems, holding the data provided by this second group of clients, that the cyber-attackers were able to gain access.

The nature of the compromised data makes this incident exceptionally serious due to the sensitive roles of the affected individuals. Greater Manchester Police and the Metropolitan Police together employ more than 60,000 officers and staff and host some of the busiest counter-terrorism units in Britain. The stolen data would be highly valuable to criminal entities, as it could be exploited to impersonate officers, steal identities, disrupt ongoing investigations, or directly threaten the safety of law enforcement personnel. This risk is acutely elevated for an estimated number of GMP officers who work in undercover roles; the exposure of their personal details presents a clear and present danger to their physical safety and could jeopardize the covert inquiries they are conducting.

The delay in notifying affected GMP personnel became a point of contention. While the breach became public knowledge in late July, GMP first informed its nearly 12,500 affected officers and staff on August 2, almost three weeks later. The force communicated via email, stating that investigators had established data "may have been accessed" and that those individuals whose photos contained geo-location data were being contacted directly. This delay prompted criticism and raised questions about the protocols for informing staff of such critical security incidents. The Police Federation revealed it had previously alerted the Metropolitan Police to the potential dangers of outsourcing operationally sensitive material three years prior to this incident, indicating that such risks were foreseeable.

Reaction from police representatives underscored the deep concern and anxiety caused by the breach. Mike Peake, the chair of the Greater Manchester Police Federation, stated that officers undertaking difficult and dangerous roles to catch criminals and keep the public safe would understandably be worried about their personal details being leaked into the public domain. The Federation worked with the force to mitigate the potential dangers and risks arising from the breach. Assistant Chief Constable Colin McFarlane of GMP sought to reassure employees, acknowledging the concern and confirming that the incident was being treated with the utmost seriousness. He noted that, at that stage, it was not believed the data included financial information.

The Information Commissioner's Office also responded to the incident, with its head of cyber investigations, Elizabeth Baxter, emphasizing that police officers and staff rightly expect their information to be kept secure. The office confirmed the incident had been reported to them and that they would be investigating what happened on behalf of all those affected. The broader implications for data protection within UK policing were also brought into sharp focus, as this incident followed closely on the heels of another major data breach involving the Police Service of Northern Ireland, where the surnames and initials of 10,000 employees were accidentally published online.

The attack on Digital ID is characterized as a ransomware attack, a type of cyber intrusion where attackers encrypt a victim's systems and demand payment in exchange for restoring access, often with the threat of leaking the stolen data if the ransom is not paid. While the articles do not specify if a ransom was demanded or paid, cybersecurity expert Toby Lewis, a former incident manager at the National Cyber Security Centre and head of threat analysis at Darktrace, explained the potential ramifications. He stated that if a company like Digital ID chooses not to pay the demanded ransom, the stolen personal details could eventually be leaked online. Lewis further suggested that given the client base of Digital ID, which includes several NHS trusts and universities alongside the police forces, the total number of individuals affected across all organizations could potentially run into the tens of thousands, though he stressed the exact size of the compromised database was unknown.

Digital ID itself stated that it notified cybersecurity experts in July when it first became aware of the incident. The company maintained that the majority of its customers were not affected, a claim that aligns with its business model where most clients produce IDs in-house. However, for the clients who did outsource their printing, the breach was significant. A source indicated that most of the identity cards were inactive when they left Digital ID’s headquarters, but this did not prevent the attackers from accessing the underlying personal data stored within the company's systems. The nationally led criminal investigation continues to work on understanding the full extent of the attack and identifying the perpetrators behind this severe compromise of sensitive law enforcement data.