>While the Labour Party is primarily responsible for data it collects, that doesn't excuse third-party data processors from obeying the law.
It does not, but GDPR is notable in that the requirement to disclose the breach to the data subject falls entirely on the data controller (i.e. the Labour party). The processor, acting on the controller's behalf, is only required to disclose breaches to the parent controller and not the end data subject (who they are generally prohibited from contacting anyway).
Knowing that a breach has occurred but not which supplier it happened with is, for better or worse, standard practice. What's unusual is Labour have made a point of explaining that this has hit a third party. Smells like an attempt to shift the perception problem to someone else - the legal problems, such as they are, cannot be shifted. The buck stops with the controller, not the processor.