The Police Federation of England and Wales (PFEW) has admitted that it suffered a severe data breach across a number of its databases. This data privacy violation happened as a result of a ransomware cyber-attack. A criminal investigation has now been launched into the Police Federation cyber-attack.
What happened in the Police Federation data breach?
In a Twitter statement, posted on 21st March, the PFEW said: “We can confirm we have been subject to a malware attack on our computer systems. We were alerted by our own security systems on Saturday 9 March. Cyber experts rapidly reacted to isolate the malware and prevent it from spreading.”
The statement also included a press release with more information about the attack. You can read this in full here.
However, people were soon pointing out that the PFEW took 12 days to inform its members about the attack. And the way some members found out was also questioned.
So this happened on 9th March and it is only now the 21st March that you tell your paying members?? Absolutely disgraceful handling by the federation.”
@RonanDonohue1
I’d rather my OH not be told via a press release, but direct contact from federation! Press releases are for the public not the potential victims”.
@lucycdoyle
So if the attack was discovered on 9th March, why did it take 12 days to alert everyone? I assume you have reported your data breach to the information commissions office?”
@ RPUSC2
Members are always last to find out. Why has it taken over 11 days to inform your members…”
@CopsAgainstXtr
What information was exposed in the PFEW data breach?
The names, email addresses, National Insurance numbers, ranks and serving forces of around 120,000 police officers may have been exposed. The breach affects officers at all levels up to the rank of chief inspector.
Also, any guests who stayed at the PFEW conference and hotel facilities in Leatherhead between 1 September 2018 and 9 March 2019 may also have had their financial details (credit card number and expiry date) put at risk.
In addition, the PFEW claims case management system has also been compromised. So any members who requested PFEW assistance for any investigation, inquiry or complaint could have had their name, address, National Insurance number, and bank details accessed.
However, the PFEW claims that there is no evidence at this stage that any data was extracted from PFEW’s systems, although this cannot be discounted.
Local Federation branches have not been affected.
How did the PFEW ransomware attack impact police systems?
Ransomware is a type of malicious software. Typically cybercriminals use ransomware to threaten to publish the victim’s data, or to block access to it unless a ransom is paid. Ransomware attacks are becoming more widespread.
As a result of this ransomware attack, the PFEW suffered severe disruption to services. Backup data was also deleted. Indeed, following the breach the PFEW has made the “difficult decision” to cancel its national conference in June. A statement on Twitter read:
Experts in business recovery estimate it takes 4 – 6 months to recover from a cyber-attack and with annual conference due in 9 weeks it would not be possible to deliver this on time.”
Can you claim compensation for the Police Federation data breach?
The Information Commissioner’s Office (ICO) is aware of the situation. However, while it has the power to impose hefty fines on organisations who fail to meet their data protection requirements, the ICO does not award compensation.
But, should the ICO find that the PFEW did not meet its data protection requirements, you could have a claim for compensation.
Indeed, even if there is no immediate evidence that personal and sensitive data was successfully extracted from PFEW systems, that doesn’t mean that there will be no impact on those officers affected. In many data breach cases it can take months for the full implications and losses to become apparent. We have seen instances where the financial losses only start to occur three to six months later. This is often because data stolen is used in batches over time.
What’s more, simply knowing that your details could be in the hands of cybercriminals can lead to anxiety and distress. Experiencing a data breach can result in adverse life events such as having to move house or area, losing a job, relationship stress and separation, and dislocation from friends and family. All of which can lead to a diagnosable psychological injury.
For police officers knowing that their personal information could be in the hands of criminals is bound to be even more distressing.
Make a Police Federation data breach claim
Experts in data breach cases and committed to helping victims of data breaches and cybercrime to achieve the justice they deserve, we have launched a no-win, no-fee group action to compensate victims of the Police Federation cyberattack.
By now those who have been affected should have been emailed. If you have received this email then you may be able to claim compensation once the matter has been investigated.
To ensure that you are fully informed and kept up-to-date, simply fill in our quick form and we will notify you about the investigation and your legal rights when making a claim.