KEY FINDINGS
- The data breach affected over 8,000 Greater Manchester Police officers.
- The hackers targeted a company that produces warrant cards for the police force.
- The stolen data includes the names and photos of officers, but not their financial information.
- The police force is working with the Information Commissioner’s Office to investigate the breach.
- The police force is taking the breach “extremely seriously” and is working to improve its security practices.
The UK Police force seems to be the current target of cybercriminals. It has merely been days since Hackread reported a data breach affecting the Metropolitan Police Force where the personal data of 47,000 Met Police officers and staff members, including names, photos, ranks, identification numbers, and vetting levels was breached. Now, just after two weeks, another police department has become the victim of a data breach, the Greater Manchester Police (GMP).
According to reports published in British media outlets, Greater Manchester Police has suffered a huge cyberattack leading to the stealing of warrant card details of thousands of officers. Per a report from the Manchester Evening News, the breached data includes the names and photos of police officers. It is worth noting that over 8,000 cops are employed by the GMP.
Reportedly, the hackers targeted a company the police force had contracted to produce warrant cards. GMP’s CC Colin McFarlane stated that a ransomware attack was launched against the third-party supplier, which was hired by several UK organizations. GMP is one of them. McFarlane also noted that the supplier held “some information” on GMP employees. However, GMP believes the financial data of its officers wasn’t part of the information.
“We understand how concerning this is for our employees so, as we work to understand any impact on GMP, we have contacted the Information Commissioner Office and are doing everything we can to ensure employees are kept informed, their questions are answered, and they feel supported. This is being treated extremely seriously, with a nationally led criminal investigation into the attack” McFarlane added.
Commenting on the hack, Cian Heasley, security consultant at Adarma, told Hackread.com, “Incidents like this one affecting a third-party supplier of the Greater Manchester Police highlight that in today’s business environment, it is necessary to consider not just the exposure, risk and security of your own organization but also the organizations and companies that you rely upon. ”
“The ICO statistics for 2022 showed a small rise in reported ransomware incidents in the UK to a new record number, 2023 shows no sign of a reduction in organizations that are preyed upon by these cybercriminal gangs,” Cian added.
Brad Freeman, Director of Technology at SenseOn said: “The latest attack on the Greater Manchester Police shows that supply chain security is becoming increasingly difficult, and whilst enterprises have been struggling with it for several years, many have gripped it and the improvements many have put in place is reducing risk.”
“Evidently, there is a need for all organizations to audit suppliers constantly and to create an overall consistent approach to data security. Whilst the financial details and home addresses of the police officers are believed to have not been retrieved in the incident, it is concerning that the data from the warrant badges is currently in the possession of the cybercriminals. This could enable the adversaries to carry out further attacks such as account takeover or BEC attacks,” Brad warned.
Javvad Malik, Lead security awareness advocate at KnowBe4 also commented on the incident. “The reported data breach targeting Greater Manchester Police officers’ warrant card details is a concerning incident, further exemplifying the persistent cybersecurity challenges faced by law enforcement agencies. This breach follows a similar attack on the Metropolitan Police, highlighting the potential vulnerabilities of third-party suppliers in the supply chain.”
“While it’s reassuring to learn that financial details and home addresses were not compromised, the exposure of names, ranks, and photographs from warrant badges can still have significant implications. Such information can be leveraged for identity theft, social engineering attacks, or even the targeting of specific police officers.”
Javvad emphasized that “It’s essential for law enforcement agencies to conduct rigorous security assessments of their third-party suppliers and ensure they meet stringent cybersecurity standards. Additionally, implementing robust monitoring, detection, and response mechanisms can help organizations identify and respond quickly to potential breaches.”
Nevertheless, it seems the UK police departments are employing all the necessary security measures however their third-party contractors need to improve their security practices to avoid such incidents.