Greater Manchester Police Hack Follows Third-Party Supplier Fumble

Thousands of pieces of Greater Manchester Police (GMP) officer data used for ID badge details, such as names and pictures, have been stolen from the third-party supplier of the badges in a major hack.

The UK's National Crime Agency is investigating the incident after the third-party company fell victim to an alleged ransomware attack. In an email that GMP sent to its staff, it noted that the data that may have been accessed included names, ranks, photos, and serial numbers, but no financial information was stolen. 

"We understand how concerning this is for our employees so, as we work to understand any impact on GMP, we have contacted the Information Commissioners Office (ICO) and are doing everything we can to ensure employees are kept informed, their questions are answered, and they feel supported," said the Great Manchester Police in a statement regarding the breach.

This incident is nearly identical to a hack that impacted London's Metropolitan Police in August in which officers were warned that their information such as names, ranks, and ID numbers had been stolen when hackers broke into the IT systems of a contactor that printed warrant cards and staff passes. Around 47,000 officers were affected, including those that were undercover or assigned to the royal family. 

Whether these two incidents, or a third potentially related incident that affected 10,000 police officers in Northern Ireland early last month, are related is unknown, but they do indicate that threat actors are increasingly targeting officers and police staff within the United Kingdom. As noted regarding the attack in Northern Ireland, this does continue to highlight concerns regarding whether or not cybersecurity safeguards in the UK are effective enough to protect its members in public service. 

Javvad Malik, lead security awareness advocate at KnowBe4, commented on the breach in an emailed statement. "The reported data breach targeting Greater Manchester Police officers' warrant card details is a concerning incident, further exemplifying the persistent cybersecurity challenges faced by law enforcement agencies," he said, going on to note that the breaches showcase the danger that can exist when it comes to outsourcing to third-party suppliers. 

"While it's reassuring to learn that financial details and home addresses were not compromised, the exposure of names, ranks, and photographs from warrant badges can still have significant implications," he added. "Such information can be leveraged for identity theft, social engineering attacks, or even the targeting of specific police officers