UK police officers' data stolen in cyberattack on ID supplier

The personal details of thousands of U.K. police officers have been stolen after a suspected ransomware attack on a third-party supplier.

Greater Manchester Police, one of the largest police departments in the U.K., confirmed last week that the supplier, since confirmed as Stockport based identity card maker Digital ID, holds “some information on those employed by GMP.”

“We understand how concerning this is for our employees so, as we work to understand any impact on GMP, we have contacted the Information Commissioner's Office and are doing everything we can to ensure employees are kept informed, their questions are answered, and they feel supported,” Colin McFarlane, assistant chief constable of GMP, said in a statement. “This is being treated extremely seriously, with a nationally-led criminal investigation into the attack.”

When asked by TechCrunch, GMP spokesperson Abi Richardson declined to say what types of data were accessed, though the force has confirmed that financial data is not believed to be affected. The spokesperson also declined to say how many officers are affected, but BBC News reports that as many as 20,000 individuals had their information stolen.

Digital ID, the third-party supplier at the center of the cyberattack, also declined to answer TechCrunch’s questions. The organization, which claims to serve more than 22,000 customers across 100 countries, did not dispute that it was the target of a ransomware attack or that a number of its clients were affected by the incident.

TechCrunch understands that Digital ID prints cards for a small number of customers, including GMP, which requires these organizations to supply employees’ personal data.

“Last month, we identified an IT security incident that affected the company’s systems. We quickly engaged specialist external cyber and forensic consultants to conduct an investigation into the impact of this incident and the data that may be involved; this investigation remains ongoing,” Rima Sacre, an agency spokesperson representing Digital ID, told TechCrunch.

“As this incident has been reported to the authorities and our investigation is ongoing, it would be inappropriate for us to offer any further comment at this time.” The spokesperson declined to say whether the organization had received a ransom demand.

The U.K.'s National Crime Agency (NCA), which is investigating the GMP breach, confirmed to TechCrunch that the Digital ID attack was also behind a recent breach affecting London's Metropolitan Police. This incident, which was at the time blamed on the IT system of one of its suppliers, exposed the names, ranks, photos, vetting levels and pay numbers belonging to officers and staff.

"The National Crime Agency is leading the criminal investigation into a cyber incident affecting a company which supplies ID card services to a number of UK organisations, the spokesperson said. “We are working alongside the NCSC and law enforcement partners to fully understand the impact of the incident and support those organisations whose data has been accessed.”

Updated with comment from the NCA.

Read more on TechCrunch: