Labour Party supplier ransomware attack: Who holds ex-members' data and on what legal basis?

'Anon firm lost your data, don't worry' just makes people more fearful

Mystery surrounds the Labour Party ransomware attack, with former party members who left years ago saying their data was caught up in the hack – while official sources refuse to say what really happened.

Yesterday, after Prime Minister's Question Time in Parliament, the political grouping once referred to as the Official Opposition to Her Majesty's Government confessed to the breach, insisting the "cyber incident" had resulted in unspecified party IT systems "being rendered inaccessible" – with the clear implication that this was a ransomware attack.

"On 29 October 2021, we were informed of the cyber incident by the third party. The third party told us that the incident had resulted in a significant quantity of Party data being rendered inaccessible on their systems," Labour spokeswoman Sophie Nazemi told The Register.

She failed to say how many members were affected or what the source of the data breach was – and the public is beginning to demand answers, especially as former party members begin questioning why their information was in the breach.

Reg reader Michelle told us she had joined the party in 2010 but promptly cancelled her membership after being "bombarded with SMS texts" urging her to vote for Labour candidates.

"When I telephoned the Labour HQ to get my mobile phone number removed, I was told that they could remove it from the central database but not from the others because they'd given a copy of the membership database to each candidate. I told them that they had committed a serious breach and I did go on to lodge an official complaint but of course it didn't go anywhere," she told El Reg.

Cathryn Culverhouse, an associate with law firm DMH Stallard, told The Register that if Labour or its unknown third party was holding ex-party members' data, they might be in legal hot water.

"Under GDPR they certainly can't hold it. If there's no ongoing reason to have hold of it, I would say after 10 years why do they still need that data?" said Culverhouse, adding that the fact the data was captured and stored long before GDPR and the Data Protection Act 2018 came into force doesn't matter.

Although Michelle contacted the ICO in 2010 to complain about Labour's attitude to data retention, she said she hadn't kept copies of their correspondence.

Privacy policy... er, about that

Identifying the source of the ransomware attack and apparent data breach is important for those seeking accountability from the data processor, as well as understanding how and why their political party was passing their data to others.

The main party privacy policy says Labour captures data from forms people fill out (either on paper or on its website), attendee lists at events it organises, social media interactions or (obviously) signing up as a member or registered supporter. It also says the party buys access to the electoral roll, the list of registered voters in the UK, as well as buying "geodemographic segmentation" information.

It adds:

Third party data use

Where personal data is provided to us by a third party, we will make sure that these third parties have provided you with appropriate privacy information on the sharing of this data with the Labour Party and that they have a clear lawful reason for sharing this data.

DMH Stallard's Culverhouse told The Register: "I don't think they're going to get away with saying, 'Sorry, we gave it all to a third party and therefore we have no responsibility'."

Judging by angry reactions on (where else) Twitter, it seems party and ex-party members may not have received the assurances promised in the privacy policy.

It is unclear why a state agency such as the Information Commissioner's Office (ICO) would withhold the identity of an organisation it is investigating. While the Labour Party is primarily responsible for data it collects, that doesn't excuse third-party data processors from obeying the law.

Where next?

Labour's main website at labour[.]org[.]uk appears to be a WordPress CMS running a custom frontend theme built by an American company called Wide Eye Creative. We have asked Wide Eye whether it has suffered a cyber attack within the last month and will update this article if we hear back from the firm.

We have also asked Nationbuilder, a popular vertically integrated website and political campaigning tool, whether it suffered any data breach affecting Labour members' data within the last month.

The National Cyber Security Centre press office failed to answer its phone. The ICO declined to comment. The Labour Party acknowledged receipt of The Register's questions but failed to answer them, instead repeating its prepared statement from earlier this week. ®

If you are caught up in the so-called Labour Party data breach and think you might know who the mysterious third party is, contact the author by clicking his name at the top and sending him an email. All information is treated in confidence.

Broader topics

Narrower topics

Other stories you might like

  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading
  • Meta hires network chip guru from Intel: What does this mean for future silicon?
    Why be a customer when you can develop your own custom semiconductors

    Analysis Here's something that should raise eyebrows in the datacenter world: Facebook parent company Meta has hired a veteran networking chip engineer from Intel to lead silicon design efforts in the internet giant's infrastructure hardware engineering group.

    Jon Dama started as director of silicon in May for Meta's infrastructure hardware group, a role that has him "responsible for several design teams innovating the datacenter for scale," according to his LinkedIn profile. In a blurb, Dama indicated that a team is already in place at Meta, and he hopes to "scale the next several doublings of data processing" with them.

    Though we couldn't confirm it, we think it's likely that Dama is reporting to Alexis Bjorlin, Meta's vice president of infrastructure hardware who previously worked with Dama when she was general manager of Intel's Connectivity group before serving a two-year stint at Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022