back to article Locked up: UK's Labour Party data 'rendered inaccessible' on third-party systems after cyber attack

The UK's Labour Party, the official opposition to the country's ruling Conservatives, has suffered a humiliating data breach. Members of the party were sent notice of the issue mid-afternoon UK time, which confirmed a "third party that handles data on our behalf has been subject to a cyber incident." The email, titled " …

  1. Anonymous Coward
    Anonymous Coward

    Not a problem

    Most ordinary labour members supported Corbyn - so losing them is a win.

    Now they only have to recognise "proper members' ie. those in the shadow cabinet and everyone is happy.

  2. Lunatic Looking For Asylum

    Let there be smug....

    Cue the Conservative & Unionist party chortling away until next week when it happens to them....

    1. Anonymous Coward
      Anonymous Coward

      Re: Let there be smug....

      Would an attack on the *currently in power* party technically be an attack on the government, therefore the nation... with lots of unintended consequences involving NATO etc... ?

      /anon because my tin foil hat works.

      1. Gamberoni

        Re: Let there be smug....

        Maybe. They'd use one of their mates (sorry corporate donors) to do the work, they'd massively overcharge for it and get the taxpayer to foot the bill.

        1. Yet Another Anonymous coward Silver badge

          Re: Let there be smug....

          No but Pritti will use it as an excuse why everyone's computer needs to have a license

          1. JassMan
            Trollface

            Re: Let there be smug....

            Not only that, but she will back to demanding that all https is banned and that private individuals can't use encryption. That will work really well at stopping cyber attacks. I'm sure she really wants all passwords transmitted in the clear as well, you know to help the security forces keep our country safe.

            1. Snapper

              Re: Let there be smug....

              Unfortunately I think you are dead right. She's almost at Jacqui Smith levels of paranoia now.

              1. Yet Another Anonymous coward Silver badge

                Re: Let there be smug....

                I think it's something they put in the water.

                If you made Ghandi home secretary he would be building gas chambers within the week

      2. MyffyW Silver badge

        Re: Let there be smug....

        An attack on the leader of said party could possibly be taken in that way. But a cyberattack on the Widdecombe-under-Moped* local conservative association's annual jam-making contest, possibly less so.

        [* a fictional village in Geoffrey the tube train and the fat commedian and not a besmirchment of the one-time Minister for Prisons]

      3. katrinab Silver badge

        Re: Let there be smug....

        Would an attack on the NHS, the HSE (Irish equivalent to the NHS), the London Borough of Hackney, or various colleges and school districts be interpreted in such a way?

        1. Peter2 Silver badge

          Re: Let there be smug....

          Nobody would be able to tell the difference between a DDOS on NHS systems and normal operation as the symptoms (lack of service and an inability to communicate) are identical.

      4. Anonymous Coward
        Joke

        Re: Let there be smug....

        > Would an attack on the *currently in power* party technically be an attack on the government,

        No. Anything less than an attack that takes down the expenses claim system is not severe enough to count as an attack on the government.

    2. Fruit and Nutcase Silver badge
      Alert

      Re: Let there be smug....

      No way will that happen to the Conservative party. They have insurance in the form of Dido Harding who one presumes have given them the inside track on how to guard against cyber attacks. Lightning never stikes twice, right?

      On the other hand, she may be a lightning conductor...

      1. John Brown (no body) Silver badge
        Coat

        Re: Let there be smug....

        "On the other hand, she may be a lightning conductor..."

        She is! I heard she's got the Minute Walz down to 30 seconds.

        1. Fruit and Nutcase Silver badge
          Alert

          Re: Let there be smug....

          Did hackers take the other 30?

      2. Anonymous Coward
        Anonymous Coward

        Re: Let there be smug....

        @Fruit and Nutcase.

        This should make you happy.

        https://www.theguardian.com/society/2021/aug/09/dido-harding-to-step-down-as-chair-of-nhs-improvement

        1. Anonymous Coward
          Anonymous Coward

          Re: Let there be smug....

          Well...every place she leaves does improve so she's had some success...

        2. Fruit and Nutcase Silver badge
          Facepalm

          Re: Let there be smug....

          The fear is where will she turn up next?

          May be Boris will clobber Cummings' creation by appointing her to head ARIA

    3. MJI Silver badge

      Re: Let there be smug....

      Mind you a lot joined to vote Corbyn

      1. Fruit and Nutcase Silver badge

        Re: Let there be smug....

        When Screaming Lord Sutch was alive, I wished that I had the money to give the 3 main parties £1 above the point where the donation had to be officially registered - and then give the Monster Raving Loony Party, several times that figure.

  3. Doctor Syntax Silver badge

    PR speak

    Sophisticated.

    Translation: clever than us. A low bar.

    1. the hatter

      Re: PR speak

      "Can spell 'password', or at least copy the label above the box into the box". Luckily the more complex 'administrator' was prefilled in the previous box.

      1. Anonymous Coward
        Anonymous Coward

        Re: PR speak

        Had a old manager that insisted on having the admin login details.

        Wasn't worried - he was dyslexic, he couldn't even type "administrator".....

  4. Anonymous Coward
    Anonymous Coward

    Who is this 'third party'?

    Enquiring minds want to know (so we can avoid using them in future)

    1. adam 40 Silver badge
      FAIL

      Re: Who is this 'third party'?

      Dunno but they spend £3M a year on this so not insubstantial (2019 audited accounts). I did just send them a Data Enquity and got an automated reply from IP Address 52.100.178.214

      OrgName: Microsoft Corporation

      OrgId: MSFT

      Address: One Microsoft Way

      City: Redmond

      StateProv: WA

      so - maybe it's even more embarrasing?

      From https://labour.org.uk/privacy-policy/members/

      The Labour Party has established procedures to ensure that technological and physical controls are in place that guarantee the privacy of data subjects, the security of data held on technological systems and that all data held by the Labour Party is processed according to an established lawful processing condition. Any such procedures will be reviewed as necessary and updated to ensure their effectiveness in line with advances in technology.

      Our website has security measures in place to protect against the loss, misuse or alteration of the information under our control. Our servers are located in a locked, secure environment, with a guard posted 24 hours a day. When you donate online, we use a secure server to protect your credit card number and other personal information during transmission. The details are transmitted using encrypted mechanisms to ensure absolute security.

      LOLS

      1. Anonymous Coward
        Anonymous Coward

        Re: Who is this 'third party'?

        Hmm, if that is the case, that's surprising, and saddening.

        You would think that the people's Labour Party would use a UK company (preferably one organised as a co-operative or social enterprise, and there are not a few ISPs and web development companies set up that way) rather than shovel money into the claws of a foreign behemoth...

        Do what I say not what I do, much?

        1. HashimFromSheffield

          Re: Who is this 'third party'?

          Where have you been living? That social democratic version of the Labour Party died when Blair was elected. It might have had a chance to be resurrected if Corbyn had been elected, but for some reason The S*n (censored because I'm from Sheffield and that name is almost as offensive as it is in Liverpool) papers were trying to convince us that would have been catastrophic for the nation. Still, I am glad things as they're going are so much less catastrophic.

      2. doublelayer Silver badge

        Re: Who is this 'third party'?

        That's probably Office365 running that part of their email system, not the part that got attacked. It sounds like the database was on a separate system which is the only part known to have been taken down.

        1. adam 40 Silver badge
          IT Angle

          Re: Who is this 'third party'?

          Possibly, or it could be that the rest of it is in Micro$haft's cloud, and the implications of hacking into that are.....

          1. adam 40 Silver badge
            Stop

            Re: Who is this 'third party'?

            OK downvoters, it's Experian.

      3. John Brown (no body) Silver badge

        Re: Who is this 'third party'?

        "Our servers are located in a locked, secure environment, with a guard posted 24 hours a day."

        That could be pretty much any commercial data centre. They all have 24/7 access and someone on the gate/door. And yet Labour are implying their servers are in a special place with a special guard just for their servers.

        1. Alister

          Re: Who is this 'third party'?

          Probably Canary Wharf

        2. I ain't Spartacus Gold badge

          Re: Who is this 'third party'?

          Is there a sign on the door saying, "beware of the leopard"?

          If not, it ain't proper security!

          1. WolfFan Silver badge

            Re: Who is this 'third party'?

            Security has been outsourced. The leopard lost his job, and has been replaced by a spotted hyena. A female spotted hyena. A grumpy female spotted hyena. Look up ‘female spotted hyena anatomy’ and you’ll see why they’re grumpy.

    2. Jamesmates

      Re: Who is this 'third party'?

      Experian used to run their big brother style UK population database, based on the 3m spend I think it's probably still them.

    3. Jamesmates

      Re: Who is this 'third party'?

      Probably still Experian. Remember the Emma's Diary "shock" that they were selling parent details to labour via their Experian big brother database.

      Labour are heavily invested in them and have been for the years.

  5. Anonymous Coward
    Anonymous Coward

    If there's a ransom request they must not pay!

    Nothing of any value whatsoever can possibly be contained within the archive.

    1. Anonymous Coward
      Anonymous Coward

      Re: If there's a ransom request they must not pay!

      I agree.

      I joined the Labour party specifically to have a vote in the leadership elections and to vote for Corbyn. As a fat-cat rich Tory, I would hate for people to know my true identity etc.

      Anon (until El Reg get attacked).

      1. the hatter

        Re: If there's a ransom request they must not pay!

        You registered under your true identity ? I just picked 40 names from the university's latest intake - only 15 of them were already registered so that left plenty more for my use.

    2. elsergiovolador Silver badge

      Re: If there's a ransom request they must not pay!

      Those interpretations of Karl Marx masterpieces lost forever! Such a brobdingnagian tragedy and gargantuan loss to the humanity...

  6. Dave559 Silver badge

    "Cyber"

    They need to put a pound in the swear jar for coming out with that clichéd and long past its use-by date term…

    Can we pass a law that anyone using that word should have a crate of floppy disks poured on their head? Please?

    ("Cyber" doesn't even really mean what they think it means, it's clearly (not) all Greek to far too many people «grumbles»)

    1. IGotOut Silver badge

      Re: "Cyber"

      We need to keep the word.

      It's a way of distinguishing PR mouthpieces from the ones that know what they are on about.

      1. adam 40 Silver badge

        Re: "Cyber" Men

        "It's a way of distinguishing PR mouthpieces from the ones that know what they are on about."

        I propose that they are henceforth dubbed "Cyber Men"

    2. Cav Bronze badge

      Re: "Cyber"

      Why is it inappropriate? Cyber - from the Greek "kybernḗtēs" meaning helmsman - i.e. the one who controls. Computers control the internet, deciding which data goes where and how it is displayed. They control spacecraft - Spacex Crew Dragon is completely automatic. They'll soon be controlling vehicles. They literally are "helmsmen".

      Cyberspace, while based on physical devices is a dimension composed of data, rather than the tangible, again controlled and maintained by computers. An attack which takes place in that dimension can logically, rightly called a cyber attack.

      1. TheProf
        Terminator

        Re: "Cyber"

        You Sir, are a steely-eyed Cyberman!

      2. Dave559 Silver badge

        Re: "Cyber"

        Yes, as you rightly say, the proper meaning of cybernetics is to do with systems and control, but "cyber" is all too often used in lazy phrases such as "cyberspace", "cyber attack", etc, when those who come out with such phrases really just mean "on the interwebz tubes". They are just grating phrases which try to make things sound more grandiose than they are, and which really should belong in the bin along with "surfing the information superhighway" and the like…

    3. Naselus

      Re: "Cyber"

      But who else will we tell the different between infosec workers and retrained ballerinas?

  7. Anonymous Coward
    Anonymous Coward

    My partner used to be a member

    She stopped paying when Corbyn made such a mealy mouthed hash of opposition to Brexit. She was sent an email from the Labour party this afternoon notifying of the breach. Seems like its time to report them to the ICO for retaining the personal information of non-members for an an excessive period of time.

    1. Anonymous South African Coward

      Re: My partner used to be a member

      Do let us, or rather, The Register know what happens in this regard.

    2. Snapper

      Re: My partner used to be a member

      Let's face it, despite the frothing from ardent lefties, Corbyn made a mealy-mouthed hash of everything he touched, including downgrading the Opposition to a shallow unelectable husk which continues to this day.

      1. Anonymous Coward
        Anonymous Coward

        Re: My partner used to be a member

        Corbyn made a mealy-mouthed hash of everything he touched

        How about the 2017 general election? Sure, he lost, but reducing the conservatives to a minority government propped up by the political wing of the UVF was an achievement of sorts.

      2. HashimFromSheffield

        Re: My partner used to be a member

        Nothing to do with him consistently and dogmatically being painted as unelectable over 5 years by almost every mainstream paper in the country then, all of whom unsurprisingly oppose higher tax rates for corporations? You should look at the several LSE studies on media coverage of Corbyn and just how bent it was. And what exactly do you think his influence over the current Labour party, that all but ousted him and has since been "led" by Starmer, is?

      3. Anonymous Coward
        Anonymous Coward

        Re: My partner used to be a member

        To be fair, while I think Corbyn was useless, I think he did about the best anybody could have done with the situation he inherited.

        The underlying problem is that Labour had been trying to appeal to two opposing groups of people to create their voting block, the working class, and the middle class. New Labour managed to make this combination an unstoppable behemoth by appealing to both the working and middle classes by being vague and often self contradictory.

        The working classes were purged from Labour's management and the middle class takeover of labour led to them taking a policy on Brexit popular with the middle classes (ie; reverse the "wrong" answer given in the referendum without another vote because they knew they wouldn't win it) despite the obvious issue that the working class voters would obviously not be happy with this. In a further genius move this was combined with sneering at the working class voters that there was nothing they could do about it, and if they didn't like it they should "fuck off and vote for the Tories"; this concept of course being unthinkable for a proper left thinking Guardian reader.

        Predictably to anybody with at least two brain cells at the next election all of the people who had been told to "fuck off and vote for the Tories" either did so or just stayed at home, and Labour ceased to exist as a serious electoral force, collapsing to the lowest result ever recorded since the party's formation. To appease and encourage these voters back following Corbyn's departure in a move of complete genius they then put the architect of that plan in charge of the party, ensuring that the "lowest result ever recorded" is likely to be the new high water mark for Labour.

    3. DevOpsTimothyC

      Re: My partner used to be a member

      retaining the personal information of non-members for an an excessive period of time

      I imagine there was a cost involved with membership, in which case HMRC will demand ~7 years of records. Putting that to the side did you partner send a GDPR notice to inform the Labour that they were withdrawing their consent and would like all their data to be removed?

      If they didn't do that I'm sure Labour could simply say "As demonstrated by the fact this person paid for membership they were interested in politics as such we are keeping them informed. Failure to continue paying just indicates they no longer wish to participate in party elections" as a reason for retaining the data.

    4. Anonymous Coward
      Anonymous Coward

      Re: My partner used to be a member

      > Seems like its time to report them to the ICO for retaining the personal information of non-members for an an excessive period of time.

      I highly doubt the ICO will do anything with such a complaint!

      I was affected by a data leak/breach of a large worldwide "social network"-related company (not Facebook BTW) last year. I had actually stopped using the company's services approx 8 years prior to then but, as was often the case with such "social" companies back then they provided *no* means to delete accounts, only to deactivate them so at the time I manually deleted what personal data I could from the account and deactivated it and eventually after a few years forgot the account had even ever existed.....until I received the data breach notification email from the company last year.

      So I submitted a SAR (as well as a complaint) to see what data the company still had - this included several items of "special category" personal data. I then opened a case with ICO and, after about 6 months, ICO decided to take no action at all and closed the case. ICO basically said "well you never asked them to delete your data".

      In fact in my ICO complaint I had pointed out that (a) the company had a policy of *never* deleting accounts when I last used their service (in approx 2012), (b) since GDPR came into force the company had introduced a means to delete existing active accounts (though intentionally making it awkward) but that they continued to retain data from already deactivated accounts (effectively indefinately), and (c) whilst their Privacy Notice did mention data retention in general it made *no* mention of retention for deactivated accounts, indeed it made no mention of deactivated accounts at all.

      ICO just didn't care...they're a chocolate fireguard

    5. charlie-charlie-tango-alpha

      Re: My partner used to be a member

      And so did I until I became completely and utterly cheesed off with Corbyn.

      I had to laugh though when I received my copy of the email telling me of the "cyber" attack and warning me that some unspecified "information provided to the Party by its members, registered and affiliated supporters, and other individuals who have provided their information to the Party" had been compromised because when I first tried to resign I received a wonderful email from the party saying:

      "I am very sorry that you are thinking about resigning your membership.

      Unfortunately based on the information from your email we are unable to find you on our records."

      So they can't have lost much about me.

  8. Anonymous South African Coward
    Facepalm

    The party has been targeted before.

    And clearly did not learnt their lesson the first time round....

  9. krivine
    Trollface

    Not some footballer then?

    "The UK's Labour Party, the official opposition to the country's ruling Conservatives..."

    Can someone let Sir Kieth know?

    1. Snapper

      Re: Not some footballer then?

      Ummmmmm....do you mean Sir Kier (his wurkin' class credentials yer know).

  10. VulcanV5
    Happy

    Total inability to support underdogs in politics . . .

    Absolutely brill-i-ant!!!

  11. Anonymous Coward
    Anonymous Coward

    Sounds Like a "Single point of failure"

    So where is the "backup"?

    C = Confidentiality ****I think not now

    I = Integrity or Incompetence

    A = Availability *** Backup lost in translation as we opted for cheaper option

  12. The Mole

    I was expecting Total Inability to Support Unions' Party

    1. Santa from Exeter

      Acronyms

      Or possibly, Totally Inebriated Student Union Party as a description of Labour?

  13. Anonymous Coward
    Anonymous Coward

    Further proof

    that all politicians know fuck all about how the internet works, let alone security. No doubt the "third party" concerned was the cheapest.

    I also note that, after reading the article twice, they don't seem to know what info has been compromised. How reassuring to to the people affected.

  14. DCdave
    Joke

    I trust the affected were notified in the proper fashion

    All user emails in the To: field, with an Excel of the compromised data attached.

  15. Anonymous Coward
    Anonymous Coward

    Another one for the gallery

    We have a running gag at work. Every time when our frontline defenses against email nasties see a blip above the normal noise, we try to guess the time till the next so called "cyber attack".

    Last uptake with multiple instance of the same virus not found by connection and weak inspection defense (aka we have to scan this thing and not simply check the hash): Night from monday to tuesday. 56 hours from our internal report till news at The Register or other news is more than my guess of 39 hours. I assumed another east German district.

    I think the cow-orker betting on a political party or known charity has won.

    And they call these things "cyber attacks".

    Cynical, experienced what's the difference?

  16. Christopher Blackmore

    Interesting. They still have my email, though I left yonks ago. Not happy about that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like