back to article Labour Party supplier ransomware attack: Who holds ex-members' data and on what legal basis?

Mystery surrounds the Labour Party ransomware attack, with former party members who left years ago saying their data was caught up in the hack – while official sources refuse to say what really happened. Yesterday, after Prime Minister's Question Time in Parliament, the political grouping once referred to as the Official …

  1. Anonymous Coward
    Anonymous Coward

    >While the Labour Party is primarily responsible for data it collects, that doesn't excuse third-party data processors from obeying the law.

    It does not, but GDPR is notable in that the requirement to disclose the breach to the data subject falls entirely on the data controller (i.e. the Labour party). The processor, acting on the controller's behalf, is only required to disclose breaches to the parent controller and not the end data subject (who they are generally prohibited from contacting anyway).

    Knowing that a breach has occurred but not which supplier it happened with is, for better or worse, standard practice. What's unusual is Labour have made a point of explaining that this has hit a third party. Smells like an attempt to shift the perception problem to someone else - the legal problems, such as they are, cannot be shifted. The buck stops with the controller, not the processor.

    Holding data for 10 or more years is not unusual, particularly if they're minimal records for the purposes of recording erasure or subject to a legal/statutory hold. Labour's privacy policy details how long they keep different classes of records, and there are at least two categories of data that are held for 10 or more years, neither of which strike this data protection wonk as particularly unreasonable.

    1. Gordon 10 Silver badge
      Thumb Up

      Nice Analysis

      "The processor, acting on the controller's behalf, is only required to disclose breaches to the parent controller and not the end data subject (who they are generally prohibited from contacting anyway"

      Correct - but you are assuming the 3rd party was a processor. It's possible they were another controller, though that wouldn't explain the radio silence unless there is a dispute between the LP and the Third Party over which category they fall into, and the contracts haven't been updated for GDPR to be clear on that point.

      Good digging on the Deletion Policy though - that was going to be my next question.

      1. Anonymous Coward
        Anonymous Coward

        Re: Nice Analysis

        >Correct - but you are assuming the 3rd party was a processor. It's possible they were another controller...

        Afraid not. While an organisation can and usually is both a controller and processor in some capacity, when it comes to the specific data handling in question you are exclusively *the* controller or *a* processor. For a given data item and activity you cannot be both and the disclosure responsibility is solely the controller's.

        1. Gordon 10 Silver badge

          Re: Nice Analysis

          Re AC

          "Afraid not. While an organisation can and usually is both a controller and processor in some capacity, when it comes to the specific data handling in question you are exclusively *the* controller or *a* processor. For a given data item and activity you cannot be both and the disclosure responsibility is solely the controller's."

          Not quite correct as the same data can be used for different purposes and its the Purpose that defines Controller/Processor i.e. what they say they are doing with the data. It's possible that someone can be a controller and processor for fundamentally the same data, but with different Purposes. In practise though this doesn't happen very often if only to keep each parties sanity, but can happen in big corporates where the left hand isn't speaking to the right hand on either side.

          The bit where you try to translate legal purposes to business processes and the into data processing and storage is where Data Privacy legislation breaks down imo, because fundamentally you are trying to translate something abstract and legalistic into IT systems, and the end result is usually a fudge/risk acceptance that doesn't suit anyone perfectly to but is the pragmatic response to avoid getting trapped in a blizzard of edge cases.

      2. Mike 137 Silver badge

        Re: Nice Analysis

        "who they are generally prohibited from contacting anyway"

        There is no prohibition on a data subject approaching a processor. The processor has an obligation to forward any such approach to the data controller.

        Article 82 states "A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller" so a processor the spills your data accidentally is indeed individually liable.

        1. Anonymous Coward
          Anonymous Coward

          Re: Nice Analysis

          Other way round gov. The processor has no duty to contact the data subject; that's the controller's job. And unless they're engaged for the purposes of communicating with the data subject on the controller's behalf they're probably not permitted to do so. And of course given it's them that's likely ballsed up they've got no incentive whatsoever to come clean, so no processor with even a hint of sense will or should attempt to contact the data subjects.

          Transfer of liability to the processor* is probably subject to SCCs and horse trading, so ultimately it's still on the processor to get it all sorted out.

          *That's assuming they did break the law or violate a SCC - it's possible to be breached without violating GDPR, e.g. if attacked by a very-high-level state actor/persistent threat or similar that would have required commercially unreasonable efforts to protect against, while otherwise following current best practices. Hence this being a matter of perception rather than liability, which I'd imagine the supplier are none too happy about, hence them not being named.

      3. iowe_iowe

        Re: Nice Analysis

        Surely there can be only one data controller, otherwise looks like a recipe for disaster..?

        1. Gordon 10 Silver badge

          Re: Nice Analysis

          In this particular case probably yes. But in many B2B industiries where there are multiple middle men then its possibly to be a join controller.

          The travel industry is a good example. You might have a travel agent, a website/aggregator, the service or content owner all interacting and adding value to fundamentally the same customer data in different ways. Joint Controllership is very common.

  2. Anonymous Coward
    Anonymous Coward

    Didn't Labour recently recruit a former Israeli Spy

    to monitor their members and their members data?

    1. Uncle Slacky Silver badge

      Re: Didn't Labour recently recruit a former Israeli Spy

      For the downvoter: https://electronicintifada.net/blogs/asa-winstanley/uk-labour-party-hires-former-israeli-spy

      1. Graham Cobb Silver badge

        Re: Didn't Labour recently recruit a former Israeli Spy

        As I understand it, every Israeli has to do national service. His was in an intelligence unit.

        That doesn't really make it much more or less likely he is doing dastardly things in his subsequent employment by the Labour Party - which seems to be for social media crap.

        Any actual allegations? Or, better still, evidence for involvement in this data protection cock-up?

        1. Ian Mason

          Re: Didn't Labour recently recruit a former Israeli Spy

          Yes, Israelis have to do national service for 2 1/2 years - he was in a cyber warfare unit for 5 years (and there's nothing to say that is his sole time in military service) so I think that says 'career military' rather than 'conscript'. That doesn't imply that he's a malicious actor, unless one is predisposed to regard any Israeli military volunteer as malicious.

          That said, I'd be deeply suspicious of any foreign national with a military intelligence background embedding themselves into the administration of another country's major political party, especially where they could potentially have unfettered access to membership details, emails, etc. Employing such seems a bit careless to me.

          I've passed over job applications from similar when I was working in the telco/ISP arena. "You what? You hired an ex-spy from another country to work on core telecommunications systems and you didn't think that might be a problem?" Yeah, best to dodge the inherent risks with that one.

          One of the companies I worked with during that time was Finnish. Over there it's a legal requirement for telco employees to be vetted by the Finnish Secret Police. Might seem a bit extreme, but I can see the logic in it. One hopes that the Finnish Secret Police were pursuing a security angle rather than looking for people they could subvert; I wish I could say that I thought MI5 would be that honourable in similar circumstances.

          1. eldakka Silver badge

            Re: Didn't Labour recently recruit a former Israeli Spy

            > he was in a cyber warfare unit for 5 years

            Do you have anything to say he wasn't just a janitor? Or worked physical security at the door? Or wasn't a techie that re-imaged their desktop computers when someone fubared it?

            Working for a cyberwarfare unit or even an intelligence unit does not equate to 'spy'.

            I'm not saying he wasn't, but the burden of proof is on the one who puts forward a theory - that he was a spy.

            1. WolfFan Silver badge

              Re: Didn't Labour recently recruit a former Israeli Spy

              I see that, at last count there were seven who downvoted my previous comment. And zero who provided any evidence whatsoever to show that the Israeli in question was:

              1. Actually a spy

              2. In any way connected to the problem

              3. Didn’t do the job for which he was hired by the Labour Oarty

              4. Guilty of anything other than being Jewish

              1. sed gawk

                Re: Didn't Labour recently recruit a former Israeli Spy

                You have it backwards, the only thing that's not a hard pass about his background and suitability for the role is him being Jewish.

                The rest is a shocker - Served in the army of an occupying power helping to repress a civilian population.

                That's quite enough - unlikely to be able to treat people from that background with impartiality at the very least.

                It's of little consequence his faith, his possible involvement in the crimes against humanity are more in the foreground.

                If you are seriously pushing the idea, that perhaps as a conscript, he was "only following orders", then I offer you the example of the https://www.aljazeera.com/news/2021/9/16/asylum-appeal-of-anti-zionist-jewish-israeli-who-refuse Or perhaps, he was "present but not involved" https://www.theguardian.com/world/2014/sep/12/israel-unit-8200-refuseniks-transcript-interview

                Oh and as for the implied smear - can I introduce you to China - https://www.theregister.com/2020/09/04/fcc_huawei_zte_replacement/

                Spooky ex MI guy in Political party = no bueno

                1. WolfFan Silver badge

                  Re: Didn't Labour recently recruit a former Israeli Spy

                  And no one has still provided any evidence of any wrongdoing on his part, either in Britain or Israel.

                  I calls em as I sees em, and what I see is the usual anti Israel crowd crawling out from under their rocks.

                  1. sed gawk

                    Re: Didn't Labour recently recruit a former Israeli Spy

                    "evidence of any wrongdoing on his part"

                    : In 2003 [during the second intifada] there was this general routine for the IDF to bomb buildings at night as a response to terrorist attacks or to pass a message or … whatever you like. After an especially bad terrorist attack in south Tel Aviv by the old bus station there was a decision that the response had to be more harsh this time.

                    The action that was decided upon was to destroy from the air a building belonging to Fatah, which wasn’t the organisation that was responsible for the terrorist attack. And the building wasn’t related in any way to military activity. It was some kind of welfare centre where they were giving out pay cheques.

                    Unlike previous times, an essential part [of the operation] was that building wouldn’t be empty and there would be people there, no matter who. Someone had to be there in order to die. The role of our unit was to give the green light for this attack. To say when the building isn’t empty. So this lieutenant – whose name wasn’t published – refused.

                    At first he tried to get the action cancelled. And then he spoke with his commanders but still found himself in real time being asked for that information. And even when he knew that now the building is not empty and was supposed to give the green light he said: “I’m refusing, I’m not doing it.” He got the operation cancelled.

                    The response of all the senior commanders – in the unit and in the military – was to be shocked by him daring to refuse a direct order that he had received. That was the only kind of inquiry that was taken into the matter. There were some reports – just days after the incident, in the Israeli media – but they were wrong. They changed the goal of the operation and said the goal was a targeted killing of …

                    https://www.theguardian.com/world/2014/sep/12/israel-unit-8200-refuseniks-transcript-interview

          2. Aussie Doc Bronze badge
            Big Brother

            Re: Didn't Labour recently recruit a former Israeli Spy

            "...I'd be deeply suspicious of any foreign national with a military intelligence background..."

            To be fair, I would expect any 'real' spy-type person to be a tad more inconspicuous than that but then I don't know much about how the spy world works.

            1. heyrick Silver badge

              Re: Didn't Labour recently recruit a former Israeli Spy

              That's exactly it. A bloke who was a spy and has something to hide is unlikely to declare anything of that nature in a job application. Instead there will be some mundane-but-applicable fake job in the place of all the Jason Bourne shit.

              1. sed gawk

                Re: Didn't Labour recently recruit a former Israeli Spy

                8200 are SIGINT not SPY, he's an analyst processing raw intel into something usable to hand over to someone else.

        2. WolfFan Silver badge

          Re: Didn't Labour recently recruit a former Israeli Spy

          Anti-Israel types don’t need no stinking evidence.

          1. sed gawk

            Re: Didn't Labour recently recruit a former Israeli Spy

            https://www.theguardian.com/world/2014/sep/12/israel-unit-8200-refuseniks-transcript-interview

            https://www.btselem.org/publications/fulltext/202101_this_is_apartheid

            The evidence of apartheid directed at a civilian population, and the direct involvement of this person make them unsuitable for a position in a democratic political party.

            The abhorrent behavior rising to crimes against humanity is well documented. People find it unacceptable in Palestine, as in South Africa.

      2. adam 40 Silver badge

        Re: Didn't Labour recently recruit a former Israeli Spy

        That is quite a volte-face for Labour who are so pro-Palestine.

  3. Pascal Monett Silver badge

    "after 10 years why do they still need that data?"

    Simple : they hoover up every tidbit they can get their grubby little hands on, but have no way of knowing what is useful today, so they keep everything for fear of deleting something they actually need.

    The term packrat comes to mind.

    1. Anonymous Coward
      Anonymous Coward

      Re: "after 10 years why do they still need that data?"

      A few years ago I heard one Labour official/politician boasting in a radio interview that they (I think possibly referring in particular to his constituency party) knew how everyone voted as they had "canvass records going back for decades".

  4. Mike 137 Silver badge

    Another good reason

    Yet another good reason why current DCMS proposals to reduce the specificity and formality of the current GDPR accountability obligations should be resisted. Responses close on 19th November, so there's still time, and there's absolutely no reason why you must use the massive online response form (c. 170 cunningly loaded questions). Free form submissions to the email address on page 143 may or may not make DCMS happy, but they're pretty much obliged to consider them. Although this consultation is aimed at 'experts' it's time for the public to get involved and have their interests recognised.

    1. G40
      Pint

      Re: Another good reason

      Thanks for the reminder

    2. This post has been deleted by a moderator

  5. Primus Secundus Tertius

    The Other Lot

    I'm a member of the other lot. I wonder when my data will go walkies.

    1. Anonymous Coward
      Anonymous Coward

      Re: The Other Lot

      well, both lots probably outsourced your data to the same 3rd party lot, so...

      1. Aladdin Sane

        Re: The Other Lot

        The Lib Dems?

        1. Anonymous Coward
          Anonymous Coward

          Re: The Other Lot

          Lib Who?

        2. 2+2=5 Silver badge
          Joke

          Re: The Other Lot

          > The Lib Dems?

          You're safe - they keep their membership database on a 72KB floppy.

          1. David 132 Silver badge

            Re: The Other Lot

            ITYM a single post-it note.

        3. John Brown (no body) Silver badge
          Thumb Up

          Re: The Other Lot

          That was my first thought when I kept reading "third party" in the article and comments :-)

          1. Anonymous Coward
            Anonymous Coward

            Re: The Other Lot

            Well, the current 3rd party in the House of Commons is actually the SNP, and the LibDems are quite a long way further behind them...

    2. Doctor Syntax Silver badge

      Re: The Other Lot

      "I wonder when my data will go walkies."

      We don't know exactly what data was involved. If it included their copy of the electoral roll it may have gone walkies already.

      1. IamStillIan

        Re: The Other Lot

        Na - if it was the roll they'd be the processor, and have to notify the administering council(s), who'd presumably have to mail us all ..

    3. Anonymous Coward
      Anonymous Coward

      Re: The Other Lot

      How do you know that your data hasn't already gone walkies?

    4. Kane Silver badge
      Joke

      Re: The Other Lot

      "I'm a member of the other lot. I wonder when who my data will go went walkies to."

      There, FTFY.

  6. Anonymous Coward
    Anonymous Coward

    The National Cyber Security Centre press office failed to answer its phone. The ICO declined

    ...while the call to the Russian embassy came up with the usual. 'this number has not been recognized, please check and don't try again!"

  7. Rob

    Putting all the obvious GDPR, data breach shennigans aside for a sec. I'm appalled that they went to an American firm to design their website!

    We always bought local with public money, sometimes casting the net wider if local industry didn't have the skills but always in the UK. It's WordPress for fcuk sake, you could throw a piece of paper (unfolded) and hit any number of designer and developers for WordPress.

    1. Doctor Syntax Silver badge

      Maybe the firm has an Islington office.

  8. yetanotheraoc Silver badge

    Bright side

    Maybe this attack will allow the politicians a clearer view of the downsides generally of data collection, i.e. the NHS data grab.

  9. Missing Semicolon Silver badge

    No offence committed

    Don't be silly. Those laws don't apply to US!

  10. John Brown (no body) Silver badge

    Don't hold your breath waiting for information...

    ...After all, it's hard enough getting any real info from a commercial operations PR department. These are political animals. Lying is easier than breathing for them IMO.

  11. Anonymous Coward
    Anonymous Coward

    "Where personal data is provided to us by a third party, we will make sure that these third parties have provided you with appropriate privacy information on the sharing of this data with the Labour Party and that they have a clear lawful reason for sharing this data."

    I never received it. I'm fairly sure other members never received that.

    I never knew that after the disappointment of Starmer being appointed as leader, that the party could cause me further disappointment. That's my own fault though, expecting too much of the "worker's" party.

  12. jollyboyspecial

    1998

    ""Under GDPR they certainly can't hold it. If there's no ongoing reason to have hold of it, I would say after 10 years why do they still need that data?" said Culverhouse, adding that the fact the data was captured and stored long before GDPR and the Data Protection Act 2018 came into force doesn't matter."

    Not only that, but the data retention rules under the previous 1998 act were broadly similar IIRC.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022