UK Labour Party blames breach of members’ data on third-party cyberattack

The U.K.’s Labour Party has confirmed a cyberattack on a third-party company has led to the compromise of members’ data.

In an email sent to all party members and posted to its website, Labour said it was informed of a “cyber incident” by an unnamed third-party data processor on October 29.

Details remain thin, but Labour said the incident led to “a significant quantity of party data being rendered inaccessible on their systems.” A person responding to the incident told Sky News that the incident was a ransomware attack on Labour’s third-party supplier. Labour has yet to confirm this, and TechCrunch has asked for more.

The scale of the breach is also unclear and it’s not yet known what data has been compromised. Labour, which holds financial information on paying members, said that the affected data “includes information provided to the party by its members, registered and affiliated supporters, and other individuals who have provided their information.”

However, it appears a number of former and non-members were also impacted by the incident. One Twitter user claims they received the data breach notification despite having left the party in 2009, while others said they also received the email despite having never been a party member. Some say they are affected by the data breach, even though they aren’t Labour Party members, but paid the political fee as a member of a Labour-affiliated union.

Labour has about 430,000 members. The party’s statement said its investigation is underway. It’s also informed the National Crime Agency (NCA), the National Cyber Security Centre, and has informed the Information Commissioner’s Office (ICO).

A spokesperson for the NCA said: “The NCA is leading the criminal investigation into a cyber incident impacting on the Labour Party. We are working closely with partners to mitigate any potential risk and assess the nature of this incident.” The ICO — which recently urged U.K. political parties to improve data protection practices — has also confirmed that it is actively making inquiries into the incident.

The Labour Party said it was also working closely with the unnamed third-party supplier to “urgently investigate” the full nature, circumstance and impact of the incident. It stressed that its own data systems were unaffected in the attack.

The incident isn’t the first time that the Labour Party has been impacted by ransomware. Last year the party alerted members that data stored by company Blackbaud had been compromised in a ransomware attack. At the time, the party said it believed that information about donors over a period of several years had been compromised.