Labour Party supplier ransomware attack: Who holds ex-members' data and on what legal basis?

'Anon firm lost your data, don't worry' just makes people more fearful

Mystery surrounds the Labour Party ransomware attack, with former party members who left years ago saying their data was caught up in the hack – while official sources refuse to say what really happened.

Yesterday, after Prime Minister's Question Time in Parliament, the political grouping once referred to as the Official Opposition to Her Majesty's Government confessed to the breach, insisting the "cyber incident" had resulted in unspecified party IT systems "being rendered inaccessible" – with the clear implication that this was a ransomware attack.

"On 29 October 2021, we were informed of the cyber incident by the third party. The third party told us that the incident had resulted in a significant quantity of Party data being rendered inaccessible on their systems," Labour spokeswoman Sophie Nazemi told The Register.

She failed to say how many members were affected or what the source of the data breach was – and the public is beginning to demand answers, especially as former party members begin questioning why their information was in the breach.

Reg reader Michelle told us she had joined the party in 2010 but promptly cancelled her membership after being "bombarded with SMS texts" urging her to vote for Labour candidates.

"When I telephoned the Labour HQ to get my mobile phone number removed, I was told that they could remove it from the central database but not from the others because they'd given a copy of the membership database to each candidate. I told them that they had committed a serious breach and I did go on to lodge an official complaint but of course it didn't go anywhere," she told El Reg.

Cathryn Culverhouse, an associate with law firm DMH Stallard, told The Register that if Labour or its unknown third party was holding ex-party members' data, they might be in legal hot water.

"Under GDPR they certainly can't hold it. If there's no ongoing reason to have hold of it, I would say after 10 years why do they still need that data?" said Culverhouse, adding that the fact the data was captured and stored long before GDPR and the Data Protection Act 2018 came into force doesn't matter.

Although Michelle contacted the ICO in 2010 to complain about Labour's attitude to data retention, she said she hadn't kept copies of their correspondence.

Privacy policy... er, about that

Identifying the source of the ransomware attack and apparent data breach is important for those seeking accountability from the data processor, as well as understanding how and why their political party was passing their data to others.

The main party privacy policy says Labour captures data from forms people fill out (either on paper or on its website), attendee lists at events it organises, social media interactions or (obviously) signing up as a member or registered supporter. It also says the party buys access to the electoral roll, the list of registered voters in the UK, as well as buying "geodemographic segmentation" information.

It adds:

Third party data use

Where personal data is provided to us by a third party, we will make sure that these third parties have provided you with appropriate privacy information on the sharing of this data with the Labour Party and that they have a clear lawful reason for sharing this data.

DMH Stallard's Culverhouse told The Register: "I don't think they're going to get away with saying, 'Sorry, we gave it all to a third party and therefore we have no responsibility'."

Judging by angry reactions on (where else) Twitter, it seems party and ex-party members may not have received the assurances promised in the privacy policy.

It is unclear why a state agency such as the Information Commissioner's Office (ICO) would withhold the identity of an organisation it is investigating. While the Labour Party is primarily responsible for data it collects, that doesn't excuse third-party data processors from obeying the law.

Where next?

Labour's main website at labour[.]org[.]uk appears to be a WordPress CMS running a custom frontend theme built by an American company called Wide Eye Creative. We have asked Wide Eye whether it has suffered a cyber attack within the last month and will update this article if we hear back from the firm.

We have also asked Nationbuilder, a popular vertically integrated website and political campaigning tool, whether it suffered any data breach affecting Labour members' data within the last month.

The National Cyber Security Centre press office failed to answer its phone. The ICO declined to comment. The Labour Party acknowledged receipt of The Register's questions but failed to answer them, instead repeating its prepared statement from earlier this week. ®

If you are caught up in the so-called Labour Party data breach and think you might know who the mysterious third party is, contact the author by clicking his name at the top and sending him an email. All information is treated in confidence.

Broader topics

Narrower topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021