Greater Manchester Police ransomware attack another classic demo of supply chain challenges The UK's Greater Manchester Police (GMP) has admitted that crooks have got their mitts on some of its data after a third-party supplier responsible for ID badges was attacked. According to the Manchester Evening News the stolen data included the names and pictures of police officers held by the supplier for use on thousands of …
Well, it's a supply chain attack. You can't expect the police (even if they were organised nationally rather than by constabulary) to insource everything.
Whether your supplier is properly equipped to handle your highly critical data, and whether you have the mechanisms and contractual clauses to enforce that handling... that's a much more interesting question. And you want to outsource to a foreign jurisdiction with a notoriously inefficient or partisan judiciary? I can't see how that could possibly go wrong!
Also, both in this breach and several others, we are not being told the name of the breached supplier. Was it the same as in the case of the Met breach?
https://www.theregister.com/2023/08/29/met_police_data_breach/
It seems unlike that (a) each police force has a different supplier and (b) each supplier has different security standards for different clients. Conclusion: once the Bad People got inside they downloaded a whole bunch of <policeforce>.xls files which they are now releasing one at a time.
I don't mind you outsourcing the supply of tea bags, paper clips and truncheons, but suppliers of CRITICAL products and services to sensitive organisations such as the police really should have in depth security audits of their systems and practices with the highlighted deficiencies followed up, or the function should stay within the organisation.
How dificult is this to understand?
It’s not difficult to understand at all, it’s perfectly reasonable. But who would carry out said audits? Presumably if the police service in question had people capable of doing it, then they could just do it themselves in house!
In any case audits often tend to be a box ticking exercise, a company has all the possible policies and procedures documented and ready to show - it’s far, far harder to verify that they actually are following them, 24x7x365 and not just for the duration of the audit!
I think it comes down to tendering, if I had a requirement for xyz and I put it out to tender, and had four responses quoting £10 million, £11 million, £9 million and half a million for apparently the same level of service, then surely the alarm bells would ring? The problem is that unless I can absolutely prove that the latter bidder is completely incompetent, then I am sort of obliged to go with the lowest bidder, but then again I am covered on the grounds that I have saved the taxpayers’ money, no?
I just made an agreement to take over all the police security systems after guaranteeing their security, and to stay safe I'm post this announcement as anonymous (not a joke) because I'm Jack and to keep everything secure and popular in the legal system I'm not going to mention my surname (Theripper).
LOL, I laugh at so many posts "Posted by a snivelling, miserable coward" ... one of El Reg's finest icons! I'm always happy to post on El Reg (I post nowhere else) and the complete selection of posting icons is a great advantage that say's one thing, often very accurate but always makes me smile!
Outsourcing.....save money!
Cloud.....save money!
Abandon that EXPENSIVE data centre....and all those EXPENSIVE processes (like backups!).....
....and here we are.....ransomware, wide open AWS databases, SolarWinds........................
....and, of course, all that money saved!
Well, presumably money was saved, well for a while, a short while but long enough for whoever made the decision to be handsomely rewarded for their management skills in saving taxpayers’ money! Of course much later on when the proverbial hits the fan, said person has long since retired with an impressive pension pot, his or her successor just needs to turn out the usual ‘lessons have been learnt’ (actually no they haven’t), excuses and also walk away with a handsome reward for their ‘professional handling of this difficult situation’ and probably an even more impressive pension pot! Oddly enough all paid for by the aforementioned taxpayer! Oh and plus any damages awarded to police personnel who find themselves damaged by this ‘unfortunate and totally unforeseen* event!’
Has always been so, probably always will be. Although it is tempting to assume that subjecting these people to the same fate as the Sirius Cybernetics Corp’s marketing department, ‘pour encourage les autres’, will improve matters, it won’t. Such is human nature - sigh!
*well unforeseen by anyone with an IQ double digits, and/or prepared to look at anything beyond how does it enrich them!
