Greater Manchester Police personal details have been hacked after a company was targeted in a cyber attack using a weakness in a business partner.
The firm in Stockport, which makes ID cards, holds information on various UK organisations including some of the staff employed by Greater Manchester Police (GMP).
The hack means thousands of police officers’ names are at risk of being placed in the public domain.
One officer, speaking anonymously to the BBC, said while the names of many officers were publicly available, there was particular concern regarding the identities of undercover officers.
Assistant Chief Constable Colin McFarlane said he understood how concerning the matter was.
“At this stage, it’s not believed this data includes financial information,” he said.
“We have contacted the Information Commissioner’s Office and are doing everything we can to ensure employees are kept informed, their questions are answered, and they feel supported.
Orange Cyberdefense Director of Strategy and Alliances Dominic Trott said that the attack proves the need for businesses to ensure they prioritise the security of their supply chain and third-party partners.
“This is another example of why organisations must ensure that supply chain risk management is a top priority. There have been several well-publicised incidents in recent years – attacks on smaller companies which have had a huge knock-on impact on multiple other organisations. Incidents such as the SolarWinds and Kaseya compromises revealed how vulnerable we are to attacks via the supply chain, as well as illustrating just how interdependent computer systems and the businesses that use them are with one-another,” Trott said
“The message is clear – no matter how secure businesses’ systems are, they are always at risk via third-party suppliers. Senior leaders need to have a clear understanding of what security controls, personnel, and processes a third party has in place, which is typically handled through something as straightforward as a questionnaire. However, this is both a ‘point in time’ approach and difficult to measure. We expect a more standards-based approach, at least as agreed within an individual supply chain, to emerge as a more resilient method,” he said.