Labour members left in dark over data breach

There has been a lack of transparency from the Labour Party over a significant ransomware attack last year, a joint investigation by the Citizens and Byline Times reveals

6 June 2022Report by Max Colbert

Following news last year of a data breach affecting the Labour Party, in which a “significant quantity of party data” was rendered “inaccessible”, Byline Times and The Citizens can confirm that the party is still stalling on attempts from members to find out what data was held on them, nearly eight months on from the incident.

Labour was informed of the breach back in 2021, on 29 October, yet hadn’t informed members or released a statement until 3 November, five days later. 

In its release, the party mentions that “a third party that handles data on our behalf has been subject to a cyber incident”, adding that “the data includes information provided to the party by its members, registered and affiliated supporters, and other individuals who have provided their information”, and that the party had engaged the National Crime Agency (NCA), National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO).

The third party in question, the digital agency Tangent, was responsible for handling party membership data, and was reportedly targeted by an unknown ransomware group that held the information hostage. Tangent refused to pay the ransom, leading the hackers to corrupt the database, rendering it inaccessible. 

In response to the initial hack, the campaign groups The Citizens and The Eyeballs collaborated to develop a Subject Access Request generator – helping individuals to ask, as is their right, what data Labour held on them.

The tool was launched in late November 2021, and was used by an initial set of more than 90 people. Respondents were then asked, after Labour had failed to respond, to send a further prompt 12 January, and once again in mid-April. Of the 25 applicants who saw this process through to the end, so far not one has recorded receiving a response from the party, save in some cases an early email to ask for photo ID.

Many of those who got in touch also mentioned that they had gone to the ICO separately, with one person stating: “I have received nothing yet. The ICO has just sent me an update stating they do not believe the Labour Party has fulfilled their obligations, but that the ICO is unable to act as a mediator in these circumstances”.

In an email from the ICO, the organisation outlined that it had “conducted a meeting with Labour regarding this matter. However, no timeframe [for a resolution] was given by the ICO to Labour within this meeting”.

The ICO website states that, under UK-GDPR law, “Individuals have the right to access and receive a copy of their personal data, and other supplementary information”, and that bodies “should respond without delay and within one month of receipt of the request”.

The process can be extended by a further two months, if the volume of data held is large or if an organisation has received multiple requests from an individual, but even in these circumstances an organisation is duty-bound to inform the client of the time extension and the reasons for it being given, within one calendar month of the Subject Access Request being received.

Data Disaster

Labour claims that its own systems have not been affected by the breach, although its membership webpage has been down since it happened and, as a result, the party doesn’t have a complete or up-to-date membership list beyond December 2021.

The loss of accurate membership data also included people who were in arrears with payments, which meant it also caused problems during selection meetings, as local parties couldn’t easily perform eligibility checks on candidates.

What’s more, in the months since the breach, Labour has failed to communicate to anybody what specific data was actually accessed, nor has it provided a complete breakdown of the information that it holds on people.

However, it is known that the breach affected people who left the party as long ago as 2014, while some who received the message had never actually joined the party. Speaking to The Citizens, one individual said: “I left the Labour Party in 2016, after they waved through the Investigatory Powers Act – so that’s five years between my leaving and the data breach!”. 

Those who had never joined were instead (as Labour’s notification about the event highlights), generally affiliates through union membership or one-time donors to the party. Another respondent said that: “I have never had full Labour membership, my affiliation to Labour comes from my [Communication Workers Union] membership and the political levy from my union subs. I have been a CWU member for over 15 years. I have never had any contact with Labour about my data.”

The party website states that it can hold information on party members for up to 15 years (in the case of Electoral Register data), and variously up to six-to-10 years for names, addresses, donation values, call notes and correspondence, and profiled data. Similarly, the Conservative Party says it is obliged to retain financial information for a period of six years.

The Labour breach raises questions about party political data being retained for such a long time, whether the safeguards put in place by the parties are currently adequate, and why Labour has not acted transparently in relation to this affair.

The potential for sensitive information – like financial, constituent, or other identifiable data, including current party membership status – to be stolen and abused by malicious actors is an acute problem. 

The disgraced big data company Cambridge Analytica, for example, utilised information from Facebook, insurance company call centres, and UKIP membership data to micro-target potential swing constituents in the build-up to the EU Referendum – not to mention its role in the 2016 Republican presidential nomination and the federal election campaign of Donald Trump.

Labour’s inaction in responding to the Tangent breach has now resulted in at least five firms taking up class-action lawsuits on behalf of members. These companies are also engaged in filing Subject Access Requests on behalf of those affected

One of the firms contacted The Citizens, saying that it had “1,000 claimants” and in a statement on its website wrote that: “When appointing a third party to manage its data, Labour was responsible for ensuring that it would be processed and protected in line with UK data protection laws, and routinely and securely backed up. This doesn’t seem to have happened. 

“Indeed, our early investigations, combined with the party’s refusal to be accountable and honest following the hack, suggests that Labour’s data protection processes are nothing short of shambolic.”

The firm also mentioned that Tangent has recently denied liability for the breach which, coupled with Labour’s refusal to answer members’ requests, has resulted in a transparency black hole for people concerned about how their data is being managed by the party.

Tangent and the Labour Party did not respond to requests for comment.

This story was first published in Byline Times