Labour Party supplier ransomware attack: Who holds ex-members' data and on what legal basis?

Mystery surrounds the Labour Party ransomware attack, with former party members who left years ago saying their data was caught up in the hack – while official sources refuse to say what really happened.

Yesterday, after Prime Minister's Question Time in Parliament, the political grouping once referred to as the Official Opposition to Her Majesty's Government confessed to the breach, insisting the "cyber incident" had resulted in unspecified party IT systems "being rendered inaccessible" – with the clear implication that this was a ransomware attack.

"On 29 October 2021, we were informed of the cyber incident by the third party. The third party told us that the incident had resulted in a significant quantity of Party data being rendered inaccessible on their systems," Labour spokeswoman Sophie Nazemi told The Register.

She failed to say how many members were affected or what the source of the data breach was – and the public is beginning to demand answers, especially as former party members begin questioning why their information was in the breach.

Reg reader Michelle told us she had joined the party in 2010 but promptly cancelled her membership after being "bombarded with SMS texts" urging her to vote for Labour candidates.

"When I telephoned the Labour HQ to get my mobile phone number removed, I was told that they could remove it from the central database but not from the others because they'd given a copy of the membership database to each candidate. I told them that they had committed a serious breach and I did go on to lodge an official complaint but of course it didn't go anywhere," she told El Reg.

Cathryn Culverhouse, an associate with law firm DMH Stallard, told The Register that if Labour or its unknown third party was holding ex-party members' data, they might be in legal hot water.

"Under GDPR they certainly can't hold it. If there's no ongoing reason to have hold of it, I would say after 10 years why do they still need that data?" said Culverhouse, adding that the fact the data was captured and stored long before GDPR and the Data Protection Act 2018 came into force doesn't matter.

Although Michelle contacted the ICO in 2010 to complain about Labour's attitude to data retention, she said she hadn't kept copies of their correspondence.

Privacy policy... er, about that

Identifying the source of the ransomware attack and apparent data breach is important for those seeking accountability from the data processor, as well as understanding how and why their political party was passing their data to others.

The main party privacy policy says Labour captures data from forms people fill out (either on paper or on its website), attendee lists at events it organises, social media interactions or (obviously) signing up as a member or registered supporter. It also says the party buys access to the electoral roll, the list of registered voters in the UK, as well as buying "geodemographic segmentation" information.

It adds:

• Beijing fingers foreign spies for data mischief, with help from consulting firm
• BlackMatter ransomware gang says it's disbanding – again – after Ukraine arrests
• Locked up: UK's Labour Party data 'rendered inaccessible' on third-party systems after cyber attack
• CyberUp presents four principles to keep security researchers out of jail for good-faith probing

DMH Stallard's Culverhouse told The Register: "I don't think they're going to get away with saying, 'Sorry, we gave it all to a third party and therefore we have no responsibility'."

Judging by angry reactions on (where else) Twitter, it seems party and ex-party members may not have received the assurances promised in the privacy policy.

I've just had an email from the Labour Party about their data breach. I shall be emailing to inform them that as I resigned from the party several years ago they are in breach of the Data Protection Act by retaining any data on me, including my email.

— Athena Nike 🏁 🟥 (@AthenaNike4) November 3, 2021

I left the Labour Party in 2016, when they waved through the Investigatory Powers Act.

Today I got notified that I was still on their records for this wonderful data breach.

— Prof Paul Bernal (@PaulbernalUK) November 4, 2021

It is unclear why a state agency such as the Information Commissioner's Office (ICO) would withhold the identity of an organisation it is investigating. While the Labour Party is primarily responsible for data it collects, that doesn't excuse third-party data processors from obeying the law.

Where next?

Labour's main website at labour[.]org[.]uk appears to be a WordPress CMS running a custom frontend theme built by an American company called Wide Eye Creative. We have asked Wide Eye whether it has suffered a cyber attack within the last month and will update this article if we hear back from the firm.

We have also asked Nationbuilder, a popular vertically integrated website and political campaigning tool, whether it suffered any data breach affecting Labour members' data within the last month.

The National Cyber Security Centre press office failed to answer its phone. The ICO declined to comment. The Labour Party acknowledged receipt of The Register's questions but failed to answer them, instead repeating its prepared statement from earlier this week. ®

If you are caught up in the so-called Labour Party data breach and think you might know who the mysterious third party is, contact the author by clicking his name at the top and sending him an email. All information is treated in confidence.