Data breach rumours abound as UK Labour Party locks down access to member databases
Breakaway MPs accused of making off with info
The UK's Labour Party has been forced to lock down access to membership databases and campaign tools over concerns the info was being sucked up by breakaway MPs, in a possible breach of data protection laws.
The party's general secretary, Jennie Formby, yesterday said Labour had "become aware of a number of attempts to access personal data" on its systems by "individuals who are not, or are no longer, authorised to do so".
The inference was that one or more of the Labour MPs that have this week left the party to form The Independent Group had slurped members' details to take with them for use in future campaigns.
Under the UK's Data Protection Act 2018 (s170), it is an offence to obtain or retain personal data without the consent of the controller – which means someone downloading a database of members' deets is likely to find themselves in hot water.
Formby noted this in her email – which was shared on Twitter by political journo Robert Peston.
"Anyone accessing, using or otherwise processing data without authority or for an unauthorised purpose is at risk of action by the [Information] Commissioner's Office," the message read.
Formby also pointed out that the info will likely reveal a person's political opinions, which makes it "special category" data that is entitled to increased protections under the law.
However, a data controller also has responsibilities to make sure data is properly protected, which includes ensuring that people who aren't entitled to access data are unable to do so. The General Data Protection Regulation (PDF) states the controller is responsible for ensuring personal data is:
"Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality')."
Last year, Bupa was fined £175,000 after one of its staffers made off with more than half a million customers' personal information and tried to sell it on the dark web. The ICO said the firm should have had measures in place to stop the bulk download.
No doubt in light of these responsibilities, Labour shut off access to Organise, the party's volunteer management and comms tool, and Contact Creator, the tool used to produce materials and monitor campaigns – irking volunteers and other Labour MPs, like Walthamstow's Stella Creasy, in the process.
This also means it’s hard for us to make contact with members and reach out to them to help them know they are welcome and wanted in our movement- or help organise any campaigns with them for the causes they care about. Really frustrating! https://t.co/rZAeM2aHwN— stellacreasy (@stellacreasy) February 20, 2019
But Formby's email suggested that the info had already been accessed – and it isn't clear whether this occurred before the person, or people, had left the Labour Party. If it happened after, the party could be open to criticism for having failed to revoke access to the databases.
It's also possible – depending on how the data was obtained – that charges of a breach of the Computer Misuse Act could be levelled at the miscreant(s).
In November, Mustafa Ahmet Kasim – a car industry worker who used a colleague's login details to snag customer data and pass it to phone scammers – was sentenced to six months in prison after pleading guilty to the charge of causing a computer to perform a function with intent to secure or enable unauthorised access to personal data.
More broadly, the party could also face questions over the number of people with access to its databases, which appears to include MPs and both paid and voluntary campaigners.
Despite Formby's strong words in the email to MPs, it isn't clear whether the party has reported the incident to the ICO. When asked, the ICO didn't confirm either way, but did offer this statement:
Organisations have a legal duty to ensure the security of personal data they hold. Any organisation which believes personal data it holds has been accessed illegally should report the matter to the ICO.
The party's sudden interest in data protection follows years of sailing close to the wind when it comes to laws on direct marketing. David Lammy MP was fined £5,000 after 35,000 automated calls were made during his campaign to be named mayoral candidate – and Labour is not alone in this.
The Labour Party did not respond to a request for comment. ®
Sponsored: Becoming a Pragmatic Security Leader