Labour’s data breach

On 3rd November the following “notificatioin of data incident” appeared on the Labour Party website:

We wish to inform you that a third party that handles data on our behalf has been subject to a cyber incident. While the Party’s investigation remains ongoing, we wanted to make you aware of this incident and the measures which we have taken in response. We have also provided details of precautionary steps you may consider taking to help protect yourself.

We were also told:

We understand that the data includes information provided to the Party by its members, registered and affiliated supporters, and other individuals who have provided their information to the Party. The full scope and impact of the incident is being urgently investigated.

And we were reassured:

The Party takes the security of all personal information for which it is responsible very seriously. It is doing everything within its power to investigate and address this incident in close liaison with law enforcement, the Information Commissioner’s Office and the affected third party.

A further posting, undated, has added the following information:

You may have heard that one of our suppliers, Blackbaud, has suffered a data breach. The Labour Party takes its responsibilities regarding data security very seriously and this notice is intended to provide further information about this situation…

Blackbaud have notified the Labour Party that they have been the victim of a sophisticated ransomware attack, which occurred sometime between February and May this year. During this time, a backup file containing personal information was stolen by a cybercriminal. It is important to immediately note that no sensitive information, such as bank account information, passwords or usernames, was taken. Blackbaud have also confirmed that they have paid the ransom demanded by the cybercriminal and have received assurances that the data was destroyed as a result.

So that’s all right then!

Well it isn’t really. Even if this incident turns out to be resolved with no further repercussions, it is clear that Labour’s attitude to data protection is seriously wanting as Glynis Millward makes clear in her discussion of this incident in the video below.

 

Comments (11)

  • Alasdair MacVarish says:

    Labour Party an utter disgrace — employing Assaf Kaplan, a former member of Israeli military intelligence, in Starmer’s office to trawl internet for information on members’ activities.

  • Tony says:

    ” It is important to immediately note that no sensitive information, such as bank account information, passwords or usernames, was taken. Blackbaud have also confirmed that they have paid the ransom demanded by the cybercriminal and have received assurances that the data was destroyed as a result.”

    Well, if you can’t trust word of a criminal, who can you trust?

  • Annie Weatherly-Barton says:

    I’m v v stressed by this whole breach let alone rest of labour shenanigans in these past two years! When I resigned after redacted report was leaked I expected my details to be sold off! We should surely sue them?

  • Stephen Richards says:

    Who?
    Who are they?
    What is the name of this 3rd Party Organisation?
    Who owns this company?
    Who authorised its use?
    Who will take responsibility?

  • Dave Putson says:

    So Blackbaud pay the cybercriminal and received assurances that the data had been deleted. That sounds incredibly naive. But who pays Blackbaud to hold this information, presumably the Labour Party so it will be the membership once again paying to get no particular service at all and have our data compromised. Everything that Starmer’s Labour do appears to me to be very “amateur hour” stuff. I have no confidence in Blackbaud given their apparent willingness to just take the word of cyber criminal that the data has now been deleted. So, now we need to know who is responsible for Blackbaud…CEO, Information Officer etc etc. This is a disgrace for them and the LP “leadership”.

  • Richard Hobson says:

    Interestingly I had an email from the Labour Party about this data breach and the potential loss of my data – I left the party about 18 months ago!

  • Shaun Adrian Hague says:

    I had the same email as Richard H and left 20 months ago. I wrote to the LP complaining at their illegal holding of my details and had a very curt reply, telling me that, in so many words, they were above the Data Protection Act. Subterfuge and dishonesty are the by-words of this Newest Labour invention.

  • Bill says:

    Whilst sharing all of the concerns expressed I think it is helpful to point out that the Blackbaud breach occurred last year.
    http://www.itv.com/news/2020-07-30/labour-party-has-data-compromised...
    This is a further breach where the third party company has yet to be disclosed by the party and investigation continue.

  • Hugh Roper says:

    The Labour Party’s further posting is, as you point out, undated. If it relates to a ransomeware attack on Blackbaud in February to May 2021, it’s worth noting that Blackbaud was subjected to a similar ransomeware attack in May 2020. Also on that occasion they paid the ransom. On 16 July 2020 Blackbaud went public on the incident, stating on their own website that they ”… have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.” However according to Wikipedia, later the same year, on 20 September 2020, Blackbaud CFO Tony Boor admitted In a Form 8-K filing, that, contrary to earlier claims, customer “bank account information, social security numbers, usernames and/or passwords” were compromised.
    I’m wondering when and by whom the decision was made to outsource handling of data relating to Labour Party members to a third party, contrary to the Party’s own undertaking not to do just that.

  • James Dickins says:

    If you have been a victim of this data breach, and want financial compensation, Hayes Connor solicitors have set a facility to help you do this: https://www.hayesconnor.co.uk/news-and-resources/news/labour-party-suffers-data-breach-exposing-members-private-data/

  • John Bowley says:

    Glynis is brilliant at trying to explain this shocking story. It has barely been explained by the Labour Party management. It seems to be uselessness, at least, on the part of senior staff and the General Secretary, whose focus has been incompetently distracted into disgracefully persecuting loyal Labour members and plotting unusual methods of getting good people expelled.

    I think it right that members should consider legal action against this Party. I applaud those who have been considering how to go about it.

    Last evening I heard a rumour that there could be a link between the top of the Labour Party and the outside company which lost our information. This may only be normal intercommunication. Does anyone know any more?

Leave a Reply

Your email address will not be published. Read our full comment policy.

This site uses Akismet to reduce spam. Learn how your comment data is processed.