Shock as Cyber Attack Launched on Manchester Police

The personal details of Greater Manchester Police (GMP) officers have been hacked after the force was targeted in a cyber attack.

Though GMP has confirmed no home address or financial information was stolen, details on warrant cards and identity badges – including names and photos of individuals and police collar numbers or identity numbers – were stolen from the force’s supplier of ID badges, says the BBC.

“Extremely Seriously”

A third-party supplier of ID badges for the Northwest police force has been targeted in a cyber ‘ransomware attack’.

GMP has stated that the National Crime Agency, with Assistant Chief Constable Colin McFarlane confirming that a “third-party supplier” of various organisations in addition to the GMP was targeted.

“At this stage, it’s not believed this data includes financial information,” he said.

“This is being treated extremely seriously, with a nationally-led criminal investigation into the attack.”

Commenting on this story is Brad Freeman, Director of Technology at SenseOn, told Techround: “Another day, another data breach for the British police force. The latest attack on the Greater Manchester Police shows that supply chain security is becoming increasingly difficult, and whilst enterprises have been struggling with it for several years, many have gripped it and the improvements many have put in place are reducing risk.”

“Evidently, there is a need for all organisations to audit suppliers constantly and to create an overall consistent approach to data security. Whilst the financial details and home addresses of the police officers are believed to have not been retrieved in the incident, it is concerning that the data from the warrant badges is currently in the possession of the cybercriminals. This could enable the adversaries to carry out further attacks such as account takeover or BEC attacks.”

A Source of Anxiety

The GMP force, like many others, uses covert officers and has a sizeable counter-terror unit.

GMP Federation chair Mike Peake says the leak is a source of “anxiety” for officers.

“Our colleagues are undertaking some of the most difficult and dangerous roles imaginable to catch criminals and keep the public safe,” Mr Peake said.

“To have any personal details potentially leaked out into the public domain in this manner – for all to possibly see – will understandably cause many officers concern and anxiety.”

“We are working with the force to mitigate the dangers and risks that this breach could have on our colleagues.”

This latest attack comes within six weeks of two other police forces having their data leaked.

Also commenting on this story is Brian Higgins, Security Specialist at Comparitech, told Techround: “This breach is an all too familiar successful Supply Chain attack, either associated with or a copycat of the recent breach of the Metropolitan Police warrant card provider. It’s easy to forget that your Network extends far beyond your core business. Your suppliers, partners and clients are all plugged into your business in some way or another and attackers are well aware of the potential vulnerabilities and incursion opportunities these digital relationships present.

“The case for all Law Enforcement agencies to target-harden wherever possible has been a strong one for some time now as it’s not implausible that recent data leaks and thefts of Police information may well have raised awareness of the value of such data in criminal marketplaces. Knowing this personal information is in the wild must be incredibly stressful for those affected, their families and loved ones, and it is no secret that in some cases its dissemination represents a significant threat to life. It is to be hoped that they are getting the help and protection that they need.”

“As for every organisation seeking to learn from this incident, it’s good practice to include some form of baseline Cyber Security requirement in supplier contracts, and influence them to do the same (it is a chain after all) so reviewing and adding something as basic as Cyber Essentials would be a start at least.”

Breaches in UK Police

In late August, London’s Metropolitan Police said it had been made aware of unauthorised entry to the IT systems of one of its suppliers of warrant cards and staff passes, which exposed the names, ranks and vetting levels of its officers and staff.

Meanwhile, the Police Service of Northern Ireland (PSNI) was also recently left “incredibly vulnerable” by a massive data breach in August

The breach involved the surname, initials, rank or grade, work location and departments of all PSNI staff, but did not involve the officers’ and civilians’ private addresses.

The leak came as a result of information published in response to a Freedom of Information request, which was later taken down.

The PSNI’s Assistant Chief Constable Chris Todd told the Northern Ireland Affairs Committee last week that almost 4,000 officers and staff have come forward with concerns after that data leak.

Committee chair Simon Hoare said it could potentially cost the force £240m in security and legal costs.

To ensure this issue doesn’t arise again in the future, Camellia Chan, CEO and co-founder at Flexxon, told Techround: “While the full impact of the attack is yet to be exposed, there will undoubtedly be many officers already worrying that their personal details have been leaked. Breaches of this nature have become so common over the last few months, such as the Met Police and Electoral Commission – proving that the public sector remains a key target for hackers. Attacks in this case can be motivated by both political and financial interests and are designed to cause maximum disruption to essential public services.”

“To defend workers and the public, there needs to be a dramatic change in the way that security is understood. Public sector organisations – and all organisations for that matter – can no longer see cybersecurity as an add-on, but as an integral part of IT systems. Technology is a greater force for good, and solutions are out there. Organisations must be proactive in assessing security gaps and addressing those with proven innovations across all layers of devices.”