The growing data breach at Greater Manchester Police follows a cyber assault on the methods of a key provider of ID providers to the pressure
By
-
Alex Scroxton,
Security Editor
Published: 15 Sep 2023 11:00
A ransomware assault on Digital ID, a Stockport-based provider of identification and entry playing cards, is growing into a critical supply chain incident after data breaches affecting Greater Manchester Police (GMP) and London’s Metropolitan Police forces got here to mild.
The breach on the Met got here to mild in August, however GMP solely revealed its data had been compromised yesterday (14 September), with greater than 12,500 officers and workers warned that their private data could have been affected. The data itself is known to incorporate particulars of serving officers’ warrant playing cards, which incorporates names, ranks, pictures and serial numbers.
GMP assistant chief constable Colin McFarlane mentioned: “We are conscious of a ransomware assault affecting a third-party provider of varied UK organisations, together with GMP, which holds some data on these employed by GMP. At this stage, it’s not believed this data consists of monetary data.
“We understand how concerning this is for our employees so, as we work to understand any impact on GMP, we have contacted the Information Commissioners Office [ICO] and are doing everything we can to ensure employees are kept informed, their questions are answered and they feel supported. This is being treated extremely seriously, with a nationally led criminal investigation into the attack.”
Computer Weekly understands that, normally, Digital ID provides its clients with the wherewithal to make their very own identification playing cards, however for a small subset of shoppers together with GMP, it affords this as a service, which naturally requires them to supply it with data.
Questions of accountability in supply chain incidents
Coming within the wake of a number of different data safety incidents affecting the UK public sector, ensuing each from cyber assaults and insider error, Tom Kidwell, a former military and intelligence skilled and co-founder of safety consultancy Ecliptic Dynamics, mentioned that the pressure might have executed extra to safe its data.
“When thinking about cyber security, most organisations tend to focus on their own security, and hope that their suppliers and other organisations operating alongside them, are doing their jobs effectively. Unfortunately for the Greater Manchester Police, this seems not to have been the case,” he mentioned.
“The actuality is that legislation enforcement companies and different public sector our bodies have gotten an more and more widespread goal for assaults, not simply because they typically maintain extremely delicate, and profitable data, but additionally to trigger disruption and chaos inside the UK.
“It highlights again the need for having a robust understanding of your supply chain and ensuring they are accountable, particularly in areas which could leave you vulnerable. Managed service providers often have elevated levels of access to your systems and data, often more than your own staff. The assumption is they are taking as much diligence and care of your digital infrastructure as you are,” mentioned Kidwell.
While GMP can’t be blamed for the preliminary cyber assault on its provider, Rob Sheldon, a companion at data breach specialist legislation agency Fieldfisher, voiced related sentiments.
“We don’t know the precise details here, but when an organisation in the UK/EU engages a supplier to provide a service and provides information about people to perform that service it is legally required to carry out due diligence checks on the supplier and to enter into a contract with the supplier.,” mentioned Sheldon.
“The contract should meet sure minimal necessities together with an obligation on the provider to implement and keep acceptable safety measures and to inform the shopper if its data is affected by a data breach.
Sheldon added: “Increasingly, clients search for contractual safety from suppliers in opposition to data safety breaches, together with for breach of contract/legislation, together with an obligation to pay the shopper if a data-breach occurs the place the shopper suffers harm as a results of the breach.
“Often, customers will look for protection against claims from individuals affected by the data-breach, the costs incurred in managing the breach and regulatory fines arising from the breach.”
Read extra on Data breach incident administration and restoration
Security Think Tank: Balanced method can detangle supply chain complexity
By: Francesca Williamson
BitMart the most recent crypto trade to undergo cyber assault
By: Arielle Waldman
Managing cyber threat via built-in supply chains
Government seeks enter on supply chain safety
By: Alex Scroxton
…. to be continued
Read the Original Article
Copyright for syndicated content material belongs to the linked Source : Computer Weekly – https://www.computerweekly.com/news/366552155/Manchester-police-data-breach-a-classic-supply-chain-incident