120k police officers in the UK have had their personal details exposed

data breach

What happened in this case?

The Police Federation of England and Wales (PFEW), has suffered a severe data breach across a number of its databases. As a result of a ransomware cyber-attack, the names, email addresses, National Insurance numbers, ranks and serving forces of around 120,000 police officers have been exposed. The breach affects officers at all levels up to the rank of chief inspector.

In addition, a second database has also been affected. This violation involves a booking system for the PFEW conference and hotel facilities in Leatherhead. The breach includes the names, addresses and email addresses of guests who visited for leisure purposes. Any guests who stayed at the facilities between 1 September 2018 and 9 March 2019 may also have had their financial details (credit card number and expiry date) put at risk. The breach does not affect officers who stayed as Federation representatives on courses.

A third database has also been breached. This involves the PFEW claims case management system. Any member who requested PFEW assistance for an investigation, inquiry or complaint during their service (if dealt with at HQ at Leatherhead) could have had their name, address, National Insurance number, and bank details accessed by cybercriminals.

The PFEW was alerted to the ransomware cyber-attack on March 9th. However, members were not informed about the breach until 21st, and a helpline for those affected was only made available from Friday 22 March.

Local Federation branches have not been affected.

How has the Police Federation responded?

In a letter to its members, the Federation said: “We are deeply sorry that this has happened and that data we hold about you has been affected and know that this will cause you some concern.

“We have instructed a leading forensics firm to help us investigate the matter. This is a complex process and will take some time. Indications are that it was not targeted specifically at PFEW and was likely part of a wider campaign. There is also no evidence at this stage that any data was extracted from PFEW’s systems, although this cannot be discounted at this stage. Whilst we consider at this stage the risk of your data being extracted or misused is low, we wanted to alert members as to the risk at the earliest opportunity.”

This response is not good enough

Commenting on the breach, Kingsley Hayes, managing director at Hayes Connor Solicitors said: “While the Federation claims that the risk to data is low, there is no way that they can know that. In many data breach cases it can take months for the full impact and losses to become apparent. We have seen instances where the financial losses only start to occur three to six months later. This is often because data stolen is used in batches over time.

“What’s more, simply knowing that your details could be in the hands of cybercriminals can lead to anxiety and distress. Experiencing a data breach can result in adverse life events such as having to move house or area, losing a job, relationship stress and separation, and dislocation from friends and family. All of which can lead to a diagnosable psychological injury.

“For police officers knowing that their personal information could be in the hands of criminals is bound to be even more distressing.”

What is happening now?

The PFEW has been working with the National Crime Agency who is dealing with this incident as a criminal offence. It has also put a number of measures in place to help stop the further spread of the malware. In addition, the Federation is liaising with the National Cyber Security Centre and the Information Commissioner’s Office as this matter is investigated.

Where to get help

The Federation has said that any officers concerned about fraud or lost data should contact Action Fraud. Advice can also be obtained from the National Cyber Security Centre.

The PFEW helpline is also available on 0800 358 0714. Opening hours are Monday to Friday 8am to 6pm, and Saturday and Sunday 9am to 3pm.

Furthermore, the PFEW website has the latest information and FAQs regarding this breach.

Claiming for compensation

At Hayes Connor, our expert solicitors deal with a significant number of data breach cases every day. During our work, we see many different types of claims and understand how data breaches can affect people in different ways.

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation.

In most cases, data breaches happen because of a failure to implement reasonable and robust processes. So claiming compensation isn’t just in your best interests, it is often the only way organisations will be persuaded to take their responsibilities seriously and make the necessary improvements.

If you have been affected and want advice contact us today