The police force of Greater Manchester has recently succumbed to a prevalent cyber threat known as a ransomware attack. This incident, reported on Thursday, arose from a security breach at a third-party vendor housing police personnel data. Information at risk includes identifying badge details of officers such as their ranks, photographs, and serial numbers.
Ransomware Attack on UK’s Law Enforcement
Previously in August, the Metropolitan police disclosed a similar cybersecurity breach involving the same third-party vendor, exposing data of its officers and staff.
This year, several UK entities like the Royal Mail, Capita, Barts Health NHS Trust, along with The Guardian last year, have encountered ransomware assaults.
Ransomware refers to malicious software infiltrating an organization’s network, often through a phishing attack where an employee is deceived into downloading the malware via email. The malware encrypts accessible computers, locking out users from their data. The cybercriminals then propose decryption in return for a ransom, usually demanded in cryptocurrency.
A variant of this threat, known as “double extortion,” involves the attackers exfiltrating data to use as additional leverage, by threatening to sell or publicly release it.
The UK’s data protection authority, the Information Commissioner’s Office (ICO), recorded 706 ransomware episodes last year, marking a slight uptick from the 694 cases in 2021.
Despite the widespread nature of ransomware attacks across both private and public sectors, entities like law enforcement agencies with sensitive staff information need to exercise caution when choosing third-party vendors for data handling, as underscored by Rafe Pilling from cybersecurity firm Secureworks. The attack accentuates the risk posed even by seemingly harmless suppliers, leading to significant repercussions when sensitive data is jeopardized.
Most Ransomware Attacks come from Eastern Europe and Russia
The origin of most ransomware attacks is often traced back to Eastern Europe, former Soviet regions, and notably Russia. This year witnessed British Airways, the BBC, and Boots being targeted by the Clop group, identified by their specific ransomware strain.
The legality of ransom payments in the UK is a grey area, although discouraged by authorities. While not typically unlawful, making a ransom payment becomes illegal if there’s knowledge or suspicion of the funds supporting terrorist activities.
Despite the disapproval, UK organizations have been paying ransoms. Cybersecurity firm Sophos reveals that the average ransom payment by UK entities surpasses the global average, standing at £1.7 million ($2.1 million).
In light of these incidents, the ICO is expected to probe whether the Greater Manchester and Metropolitan police forces adequately vetted their third-party supplier and adhered to proper contracting protocols. Although the ICO hinted at reducing fine imposition on public sector bodies for GDPR infringements, the involved supplier, Stockport-based Digital ID, will also face scrutiny. Digital ID, known for crafting identity cards and lanyards, serves numerous UK organizations including NHS trusts and universities.