In November 2021, the Labour Party confessed to a membership database breach. In this quick guide, our expert data protection solicitors explain what happened in the Labour Party data breach, how members and former members are impacted, and what they should do to stay safe.
The Labour Party data breach happened after criminals accessed the systems of Tangent, a private contractor that managed Labour’s member system. The criminals held the data hostage in a ransomware attack, but Tangent refused to pay the ransom, so the criminals behind the attack corrupted the database, making the data loss permanent.
This is not the first time the Labour Party has been involved in a data protection controversy. Emma’s Diary, an app that gave medical advice and free baby-themed goods to parents sold user information to Experian Marketing Services. This data was used to create a database that the Labour Party manipulated to profile new mums in the run-up to the 2017 General Election.
Here’s what we were told about the breach at that time:
Labour party members affected by the breach have been informed, and they have been offered advice to manage any potential risks. This includes being vigilant against suspicious activity and implementing two-factor authentication (2FA) where possible. However, that Labour members have been put in this position in the first place is a serious failure.
The data breach affects more than just Labour party members. Since the hack, many people have taken to social media, including Twitter, to ask why their data was held by the party. In particular, many former members have received notification that their data has been compromised, despite leaving the party, sometimes years ago.
Thousands of members, former members, registered and affiliated supporters could have had their confidential information stolen by cybercriminals.
In Labour’s notification letter, it was not clear what data had been exposed. And, despite months passing since the privacy violation was made public, the Labour Party is refusing to tell members what data has been exposed.
Whether Labour is failing to cooperate because it does not know what data was compromised, or it simply doesn’t want to tell victims, it is putting its membership at increased risk of fraud, scams, and emotional distress. This is unacceptable and unforgivable. Following a data breach, criminals often use stolen data to carry out phishing and other forms of scams against those affected. By refusing to provide further information on this breach, Labour is making it impossible for the very people who support the Party to protect themselves.
What we do know is that political parties hold a wealth of information on members and non-members, and there are genuine concerns about what has been accessed, and what will now be done with it.
At Keller Postman UK, our data protection solicitors have provided some helpful tips on how to protect yourself following a data breach or cybercrime. Get our tips here.
“The Labour Party data breach happened months ago, so it is concerning that the question of what was stolen still hasn’t been answered. When appointing a third party to manage its data, Labour was responsible for ensuring that it would be processed and protected in line with UK data protection laws, and routinely and securely backed up. This doesn’t seem to have happened.
Indeed, our early investigations, combined with the Party’s refusal to be accountable and honest following the hack, suggests that Labour’s data protection processes are nothing short of shambolic.
It is well established that, following a data breach, criminals often use stolen data to carry out phishing and other forms of scams against those affected. By not telling members what data has been exposed, Labour makes it incredibly difficult for the very people who support it to protect themselves.
Controversial data analytics firm Cambridge Analytica improperly used personal data harvested from millions of Facebook users to subvert the democratic process in the US and the UK. And should criminals with a political agenda decide to use the Labour Party data for their own ends, the consequences could be devastating.
The Electoral Commission, the ICO, a Department for Digital, Culture, Media & Sport committee, and The Institute of Practitioners in Advertising have all raised concerns about using data to micro-target specific voters. According to an ICO report:
“Citizens can only make truly informed choices about who to vote for if they are sure that those decisions have not been unduly influenced.
“The invisible, ‘behind the scenes’ use of personal data to target political messages to individuals must be transparent and lawful if we are to preserve the integrity of our election process.
“We may never know whether individuals were unknowingly influenced to vote a certain way in either the UK EU referendum or the in US election campaigns. But we do know that personal privacy rights have been compromised by a number of players and that the digital electoral ecosystem needs reform.”
Following the breach, Keller Postman UK launched a no-win, no-fee group action data breach claim to hold those responsible to account.