Data on Labour Party members, registered and affiliated supporters, and others who have provided their personal information to the political party has been compromised in a major security breach at a third-party organisation that handles and processes data on Labour’s behalf.
In an email sent to all its members, which has also been posted to its website, Labour said it was informed of the incident by the third party – whose identity is undisclosed, on Friday 29 October. It said the incident had resulted in “a significant quantity of party data being rendered inaccessible on their systems”. It is currently conducted an investigation alongside cyber forensics experts, the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC), and has informed the Information Commissioner’s Office (ICO).
In the email, Labour said it was also working closely with the unnamed IT supplier to understand the full nature, circumstance and impact of the incident. It stressed that its own data systems were unaffected in the attack.
“The party takes the security of all personal information for which it is responsible very seriously. It is doing everything within its power to investigate and address this incident in close liaison with law enforcement, the Information Commissioner’s Office and the affected third party,” the Labour Party said in its statement.
At the time of writing, there is no indication of the precise nature of the incident – however, the fact that data was “rendered inaccessible” will likely be taken by some as an indication of a ransomware attack.
A spokesperson for the NCA said: “The NCA is leading the criminal investigation into a cyber incident impacting on the Labour Party. We are working closely with partners to mitigate any potential risk and assess the nature of this incident.”
An NCSC spokesperson added: “We are aware of this issue and are working with the Labour Party to fully investigate and mitigate any potential impact.
“We would urge anyone who thinks they may have been the victim of a data breach to be especially vigilant against suspicious emails, phone calls or text messages and to follow the steps set out in our data breaches guidance. The NCSC is committed to helping organisations manage their cyber security and publishes advice and guidance on the NCSC website.”
The ICO has also confirmed that it is actively making enquiries into the still-unfolding incident.
Absent further information, Labour Party members are advised to exercise heightened vigiliance against suspicious activity targeting them, as per the NCSC’s official data breach guidance, which can be read in full here. This includes being alert to suspicious, unsolicited communications, such as calls, emails and texts, checking online accounts for signs of compromise or suspicious activity, and changing passwords or enabling multi-factor authentication on online services and platforms if you have not yet done so.
This is the second time in the space of two years that the Labour Party has found itself the victim of a data breach at one of its suppliers. At the end of July 2020 it was caught up in a ransomware attack on US-based Blackbaud, a supplier of fundraising and donor management software and services, which saw the details of Labour Party donors exposed.
This attack affected multiple UK organisations including a number of educational institutions and charities such as the National Trust.
Blackbaud, which badly bungled its response to the attack, is currently the subject of a class action lawsuit in the US. The plaintiffs allege that the supplier failed to comply with industry and regulatory cyber security standards, and did not provide timely or accurate information on the attack.