Cyber Incident Victim: Police Federation of England and Wales
Date:
Mar 2019
Location:
United Kingdom
Summary
A ransomware attack targeted the UK's Police Federation, encrypting databases and email systems at its headquarters and causing service disruptions. The incident also resulted in the deletion of backup data, though no evidence confirmed data extraction. The organization reported the breach to data protection authorities within the mandated timeframe, and an investigation by the National Crime Agency suggested the attack was likely part of a broader campaign rather than a specific targeting. None of the federation's regional branches were affected by the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 6 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The U.K. Police Federation, representing 119,000 police officers across England and Wales, experienced a ransomware attack on March 9, 2019, at its Surrey headquarters. The organization publicly disclosed the incident on March 21 via a Twitter statement, revealing a 12-day gap between detection and public acknowledgment. Attackers encrypted multiple databases and email systems, causing operational disruptions to the Federation's services. Notably, backup data was also deleted during the incident, complicating recovery efforts. While the Federation confirmed no other branches among its 43 nationwide locations were compromised, headquarters systems remained partially inaccessible following the encryption. Initial forensic analysis found no evidence of data exfiltration, though officials acknowledged this possibility couldn't be eliminated. The attack specifically impacted core IT infrastructure without affecting police force operational systems, as the Federation functions as a staff association rather than a law enforcement agency.
The Police Federation formally reported the breach to the U.K. data protection regulator on March 11, complying with the European Union's mandatory 72-hour notification window under data protection regulations. The National Crime Agency (NCA) assumed lead investigative responsibilities, though both the Federation and NCA declined to provide additional details beyond initial statements, citing the active investigation. Organizational leadership characterized the incident as part of a broader ransomware campaign rather than a targeted attack against law enforcement entities. Service restoration efforts proceeded alongside the criminal investigation, though the article did not specify completion timelines or data recovery methods employed. This incident occurred contemporaneously with the LockerGoga ransomware attack on Norwegian firm Norsk Hydro, though no explicit connection between the two events was established in available reporting.