At Keller Postman UK, we are helping 13,000 active and former PFEW members fight for justice following the 2019 cyberattacks at the Federation. But four years after the incidents, affected PFEW members still haven’t been told exactly what happened. To help shed some light on this shocking security failure, we have collated some of the frequently asked questions put to our data protection lawyers about this breach and attempted to answer them.
What happened in the Police Federation data breach?
The Police Federation of England and Wales (PFEW) suffered a severe data breach across a number of its databases and servers. The first attack occurred on 9 March 2019 when entry to the PFEW’s network was gained via a “password spraying” attack. This happens when common username and password combinations are used to gain access to a system or network. A robust password protocol should have stopped this initial attack from being successful.
A further, and separate ransomware attack took place on 21 March 2019. This attach impacted the PFEW’s wider IT network. This entry point was via a remote access support tool used by an IT service provider. According to the PFEW, while it has uncovered no evidence that any personal data was accessed, downloaded, or targeted as a result of the cyber incidents “the attackers’ unauthorised access to PFEW’s network means that they had the theoretical ability to access certain personal data held by PFEW.”
If no data was accessed, is there a claim?
Yes! On its website, the PFEW states that it is highly unlikely that personal data has been “exfiltrated”. It claims that, without proof of exfiltration, PFEW members and retired officers do not have a claim for compensation.
This is not true and “exfiltration” is not the legal basis for our action against the PFEW.
Under the GDPR, a ‘personal data breach’ is any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The mere fact that the PFEW’s databases were encrypted by the cybercriminals shows that personal data was unlawfully processed – and PFEW has admitted that it failed to take appropriate technical measures to protect its members’ data!
The PFEW has admitted that it cannot recover much of the data, that data has been lost, and that data has been destroyed because of the cyber-attacks. Furthermore, the PFEW cannot confirm exactly what happened to its members’ data. Although it continues to claim that there is ‘no evidence’ that data was taken by cybercriminals during the attacks, it cannot say for sure.
For these reasons, and because of the distress caused by not knowing what has happened to the compromised data, affected members and former officers have valid compensation claims against PFEW.
It is misleading., and the PFEW does its members a disservice, to suggest otherwise.
What data has been compromised by poor security processes at the PFEW?
Personal information has been compromised, including sensitive special category health data.
The compromised information includes:
- The NI numbers, ranks and serving forces of around 130,000 police officers at all levels up to the rank of chief inspector
- The names, home addresses and email addresses of guests who visited the PFEW conference and hotel facilities in Leatherhead. Some guests may also have had their financial details put at risk
- The names, home addresses, NI numbers, and bank details of members who requested PFEW assistance for any investigation, inquiry, or complaint.
- The home addresses of police officers held on the PFEW branch databases.
Am I affected by the PFEW data protection breaches?
Your data might have been compromised in the attacks if any of the following apply:
- You were a PFEW member on or before March 2019
- You are a retired officer and you were a PFEW member prior to your retirement
- You stayed at the PFEW conference and hotel facilities in Leatherhead between 1 September 2018 and 9 March 2019
- You made a claim for PFEW assistance with any investigation, inquiry, or complaint before March 2019
- The PFEW contacted you to tell you that your data was compromised in this breach.
Those affected should have been contacted by the PFEW. But this hasn’t happened in all cases. So, if you suspect your data was compromised but you have not had this confirmed, contact our data protection experts for help.
If I haven't been notified about my involvement, could I still have a claim?
Yes. Years later, we are still receiving enquiries from police officers who were never notified about the breach. We think this is unacceptable.
In particular, many retired officers were affected but not notified of the PFEW cyber incidents. This is a significant failure by the PFEW. Indeed, because the Federation holds officer data until their death (or their 100th birthday), retired officers could be involved in this data privacy violation, even if they were not PFEW members at the time of the breach.
If I wasn’t a PFEW member at the time of the attacks, does that mean my data was not involved?
Not necessarily. If you became a member of the PFEW after the data security violations in March 2019, you can rest assured that your data was not part of this breach.
However, if you were a member BEFORE 2019, but had given up your membership when you retired, you are likely still involved. This is because the Federation holds officer data until their death (or their 100th birthday).
Has the PFEW admitted liability?
Yes and no.
In March 2022, three years after the incident, the PFEW finally admitted liability for unlawfully processing police officers’ personal data by not having the appropriate technical and organisational measures in place. However, PFEW claims that, as there is no evidence that data was actually taken, it does not owe affected members compensation.
But organisations are expected to make efforts to prevent any loss, destruction, or unauthorised disclosure of the personal data they have collected. Further, they are expected to share details about data breaches with those who have been affected. So, even if no data was exfiltrated in the security incidents, a clear GDPR data protection breach has occurred. As such, affected serving and retired officers are entitled to claim against PFEW.
How have the data security incidents affected members of the PFEW?
The PFEW data breach could have significant consequences for its members. Our clients have told us that they are appalled the PFEW did not inform them about the data breach, that they are worried that the breach has put them and their families at risk, and that they feel let down by the PFEW. Many members have experienced lasting distress following these cyberattacks.
What’s more, by failing to take sufficient steps to notify all those affected, PFEW members were left exposed as they were not given the opportunity to protect themselves from such threats. This added to victims’ worry when they eventually found out about the breach.
What evidence do I need to join the PFEW action?
If the PFEW has informed you in writing that you were involved in the breach, we can use this confirmation to start your claim. But, as we have established, the PFEW did not notify everyone affected.
If you were a serving police officer during March 2019 and Police Federation member, or a retired officer who had previously been a member of the PFEW, we can find out if you were involved.
It is not too late to join our action
Our case is progressing through the Court, and we are currently representing 13,000 PFEW members on a no-win, no-fee basis. This ensures they have access to the absolute best lawyers without worrying about legal fees.
It’s not too late to join our action and we would encourage any members who wish to sign up – or to invite friends and colleagues to join our fight for justice – to do so.