Analysis Breaking comment Exclusive News

Exclusive: Evans admits outsourced Labour member data breach, National Crime Agency involved

Evans admits ‘sensitivity’ of issue after murder of Sir David Amess – but asks personnel not to comment publicly

Labour is about to send out the following message admitting a breach of data protection laws that has led to the involvement of the National Crime Agency, the National Cyber Security Centre, the ICO and parliamentary security:

Dear Colleague,

Please see below a message that will shortly be sent out by the Party in respect of a data incident.

I fully recognise the sensitivities involved with this message, especially in light of recent events. I want to assure colleagues that since this came to our attention, we have been in close contact with the relevant authorities, including the National Crime Agency, National Cyber Security Centre, the Information Commissioner’s Office and Parliamentary Security. We will continue to liaise with them closely.

If you have questions, I would ask that these are directed to the email address referenced in the message. We will also continue to update the webpage

I would ask colleagues to refrain from any public commentary (on social media or otherwise) on this matter.

Best wishes,

David Evans
General Secretary

Wednesday 3 November 2021

Dear Sir / Madam,

We are writing to you to let you know that a third party that handles data on our behalf has been subject to a cyber incident. While the Party’s investigation remains ongoing, we wanted to make you aware of this incident and the measures which we have taken in response. We have also provided details of precautionary steps you may consider taking to help protect yourself.
What happened?

On 29 October 2021, we were informed of the cyber incident by the third party. The third party told us that the incident had resulted in a significant quantity of Party data being rendered inaccessible on their systems. As soon as the Party was notified of these matters, we engaged third-party experts and the incident was immediately reported to the relevant authorities, including the National Crime Agency (NCA), National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO). The Party continues to work closely with each of these authorities. The Party is also working closely and on an urgent basis with the third party in order to understand the full nature, circumstances and impact of the incident. The Party’s own data systems were unaffected by this incident.

What information was involved?

We understand that the data includes information provided to the Party by its members, registered and affiliated supporters, and other individuals who have provided their information to the Party. The full scope and impact of the incident is being urgently investigated.
What are the Labour Party doing?

The Party takes the security of all personal information for which it is responsible very seriously. It is doing everything within its power to investigate and address this incident in close liaison with law enforcement, the Information Commissioner’s Office and the affected third party.

SKWAWKBOX needs your help. The site is provided free of charge but depends on the support of its readers to be viable. If you can afford to without hardship, please click here to arrange a one-off or modest monthly donation via PayPal or here to set up a monthly donation via GoCardless (SKWAWKBOX will contact you to confirm the GoCardless amount). Thanks for your solidarity so SKWAWKBOX can keep bringing you information the Establishment would prefer you not to know about.

If you wish to republish this post for non-commercial use, you are welcome to do so – see here for more.

52 comments

    1. If giving members data to an external organisation which fails like this isn’t against GDPR we should legislate so that it is.

  1. As an ex member I want to know if my data was still held and if that got into outside hands.

    1. I left in July. Still received an email from them last week asking me to reconsider my decision. So it would not surprise me if they still have ex-members details on their database.

      1. Back and beyond….you have my condolences its a hell of a shock to find they’ve been touting ex members from years ago to a third party laundry.

  2. I would ask colleagues to refrain from any public commentary (on social media or otherwise) on this matter.

    And if I was a ‘colleague’ I’d tell you to get bent.

    Third party outsourcer….Hmmmm

    Does that ex-mossad geezer count as third party, I wonder? I think we should be told.

    1. Toffee I don’t think that they can flog off our data as nobodys interested in it in LFI land.Now Steve H would be another story in his Caribbean bolt hole no doubt..I can think of a few who Kaplan might be interested in on here so better to be safe Toffee and cancel the luxury cruise.I wonder what old crafty bollocks is really up to?Evans help us and his nibbs in isolation?…smokescreen?

      1. Thank God I have had “The Email as well” …I was beginning to think I had been left out..and ignored.Well done Labour party managing to send a email to an old comrade recovering from a touch of dengue fever in the middle of nowhere…..I hope that you got a good offer on the assorted details including ex members and it saves you from Bankruptcy.?.PS what a whizz idea a job lot of leftys details….for a knockdown price.

  3. I wonder how this episode would be used?
    Would the Labour Party decide that branch secretaries cannot longer be trusted to hold personal data of branch members?
    Would it extend to CLP’s Secretaries and Vice-Chairs membership?
    It wouldn’t surprised at all, so glad I cancelled my DD.
    I agree Joseph we should be told the identity of the “third party”

  4. This is outrageous! I want to know who or what organisation is the ‘third party’ mentioned? I want to know what has happened on my data?

    1. David…..IF this lot were lying down they still couldn’t be straight..Theres some third “Party” having a butchers with yours and others details now.

  5. The third party told us that the incident had resulted in a significant quantity of Party data being rendered inaccessible on their systems. As soon as the Party was notified of these matters, we engaged third-party experts

    1. Just HOW MANY ‘third parties’ are there working for the THE party?

    2. Why T absolute F isn’t the original third party an ‘expert’ if they’re handling others’ data?

    3. WHO employed the original third party, and in WHAT capacity?

    4. Was the original third party operating ENTIRELY WITHIN their remit?

    5. If not, WHY not?

    Whole effing thing positively reeks to the high heavens.

    1. The likud party?…or fifth column experts at spying,maybe check out Kaplan newboy and ex Israeli military intelligence agencies,now employed by the Labour party alarmingly….We must be Told?

  6. I received an email as well. We need to know who the third party are?

  7. I find all the different parties slightly confusing. Who is that third party Evans is on about? And exactly what data has been compromised? The email is not very clear. Oh what shambles.

  8. Very surprised to receive this communication on the grounds that since day one I have never received a single communication via the Organise or whatever system is used by CLP and Branch Secretary’s to send out notification of meetings etc and have had to rely on other members to forward such notification.

    Not that these days it makes a great deal of difference because the incompetence at national level is replicated at lower levels with notification for local meetings at CLP level (at least in this neck of the woods) being anything from a couple of days to a couple of hours rather than the seven days required in the model rules/SO. Even then you don’t always get all the required paperwork associated with the meeting.

    However, I digress.

    What no one seems to have explicitly observed is the fact that the permission given by members to hold and use our data was only on the basis of that data being held and used by the Labour Party. Not some third party contractor.

    At the very least this represents a breach of trust if not a breach of contract on the part of the LP in handing our data to a third party without our permission.

    There should now be a deluge of complaints to the ICO against those Party officials responsible and the Party for this criminal level negligence which has, potentially illegally, handed our data to a third party or other third parties without our express permission.

    This should be followed up by criminal prosecution against those individuals and/or other legal entities responsible.

    1. Dave – “What no one seems to have explicitly observed is the fact that the permission given by members to hold and use our data was only on the basis of that data being held and used by the Labour Party. Not some third party contractor.”

      You are deluding yourself.
      The facts tell a different story – https://labour.org.uk/privacy-policy/

      1. The entity previously known as the Labour Party, along with its wormtongue cap doffing, forelock tugging Uriah Heep trolls such as yourself Steve can formulate whatever internal procedures you want to your heart’s content.

        However, all that is irrelevant as it is trumped by Data Protection and GDPR legislation. The dis-organisation which is the LP is quick enough to demand compliance to this legislation of members when, for example we use it for internal candidate selection campaigns. Consequently, the law applies to the Party, it’s elected officials and paid employees.

        Neither I nor any other member have given permission for any other entity than the LP to use misuse, store, utilise, etc our personal data in such a criminally negligent way. Such data includes the compromising of our bank account details for those who pay fees by direct debit.

        Anyone else doing this would going to jail.

      2. Addendum,

        Some people seem to have trouble reading and understanding basic English.

        The Third Party section of the LP Privacy link is very specific. Seeing as I like you today, stevie boy, – because I might not like you tomorrow – I’ll Janet and John it for you just this once:

        Here’s what it actually states:

        “Where personal data is provided TO US by a third party,”

        You do know the difference between data provided BY a Third Party (about members) and data provided TO a Third Party (about members) don’t you steve?

        Pesky things these facts eh what old boy!

      3. Dave – Oh for goodness sake get over yourself, you are just making yourself look silly.
        There are loads of legitimate and lawful reasons why data will be shared with trusted 3rd party companies for processing and/or storage. There is provision for this in the legislation.

      4. The only way i wanted my data ised was email address to receive emails, and the DD instruction re membership payment. I did not give consent to have my data shared with nebulous and questionable third parties.

      5. There are plenty of legitimate reasons that your data might be shared with a 3rd party contractor eg: Snail mail to members. To date there is absolutely no evidence of any wrongdoing by the Labour party.

  9. Well, this is what happens when you use cheap outsourced companies with crap protection of data it gets stolen….

    Now, these fools will try and claim it’s not their fault and nothing bad will happen this is of course a lie. I am so glad I left this sinking ship it’s sad to watch and I feel no satisfaction but the once great Labour party is exploding. This right-wing cult of the new Labour 2.0 mob has no one apart from themselves to blame…..

    Damn, I forgot let me guess it’s all Jeremy’s fault there nemesis!

  10. In 2019, Labour reported Joan Ryan to the Information Commissioner over claims she tried to access sensitive data held by the party. Joan Ryan denied the alleged data breach, which was said to have taken place after Ryan and seven of her colleagues resigned to join The Independent Group.

    Labour officials cut off access to its canvassing software, claiming unauthorised attempts had been made to access membership lists.

    Given the ongoing purges, rapidly declining membership numbers, and the presence of a former Israeli military intelligence cyber security expert – hired to do what exactly, who knows? Can malfeasance be completely ruled out?

    Tbh, would the blacklisting of those who cancelled their memberships when Corbyn was suspended surprise anyone?

    Poor show indeed, that a ‘third-party’ data storage specialist can see sensitive, confidential data exfiltrated like this – normal practice is to use segmentation and encrypt, limiting access and potential losses.

  11. Ive got THAT email too .. It arrived in my Junk/ aka “spam” folder!

    As stated above – many CLP members have suffered because of incompetent IT
    systems within the Party . In our CLP I and other members have had emails
    about meetings landing in their spam folders and as a relatively new member
    of the Labour Party I was horrified to be told this was normal .. and had been for
    years ..

    However this “third party” outsourcing is apparently a new thing and I
    would like to know
    (1) When this outsourcing took place?
    (2) Who decided on it?

  12. Received an email from Labour earlier informing me about the data breach. I left the Labour party before Starmer was appointed leader. They also suspended me from the party. Absolutely shocked that they are still holding my data.

    1. David Lowton –

      Article 17, the GDPR : An individual has the right to have their personal data erased if: The personal data is no longer necessary for the purpose an organization originally collected or processed it.

      Maybe everyone should enquire as to what’s retained and for what purpose?

      “Party data being rendered inaccessible on their systems…” – sounds like a ransomware attack, whereby it’s encrypted and hasn’t necessarily been exfiltrated.

      Outside the Labour party can’t really see any value in email addresses, telephone no. and home address?

    2. Making a complaint to the ICO (Information Commissioners Office):

      https://ico.org.uk/make-a-complaint/

      GDPR Article 6.1 States:

      “Processing shall be lawful only if and to the extent that at least one of the following applies:

      a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

      f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

      Would seem to be relevant here.

      As does Article 21,1 Right to Object

      “1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. 2The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.”

    3. Me too. I got the email tonight. I left 18 months ago. Why do they still have my data?

  13. Just finished reading comments, thought I would check emails. Bloody ‘ell – I left in July 2020 and after the first raft of ‘will you reconsider’, ‘please send another email’, etc etc. find I have received this email, the first in approximately 13 months!

    1. On the basis that you left the Party in July 2020 it would seem reasonable to imply from the fact you were in receipt of this communication that the Labour Party has kept your data on its database even though you are no longer a member.

      This is also potentially a breach of your UK Data Protection and GDPR rights. I would go on the ICO website for a live chat ASAP – office hours 09:00-17:00 (working from home during the pandemic apparently).

      Unfortunately, it does not seem possible to submit a complaint to the ICO until you have raised this with the LP and given them one calendar month to respond.

  14. Who is this ‘third Party’ ?
    Who sanctioned this third party to hold my data ?
    When were members informed that their data was being held by a third party & was there an ‘opt out’ of this ?
    What exactly is the data that the third party hold of mine ? ( is it my name, D.O.B, address, email address, bank details ??)

    1. lundiel
      Ambulance chasers could bankrupt party with a killer claim if this is anything like their previous abuses of process
      Fill your boots
      I also think this is the time to cancel my direct debit
      Regards

  15. just had ‘the email’ from hq (left the party following JC’s defenestration and quelle surprise no hint of an apology. surely they wouldn’t be covering their arses?

  16. Those of you that are still members may find this interesting

    “The Labour Party plans to hold trigger ballots for MPs from November 2021 to June 2022 according to a new paper that will soon be considered by members of the ruling national executive committee, LabourList can reveal.
    Sources say the decision is being taken on the basis of the opposition party’s working assumption that the Tories will want to hold a general election in spring 2023, before the new parliamentary constituency boundaries kick in.
    https://labourlist.org/2021/11/exclusive-labour-plans-to-hold-mp-trigger-ballots-from-november-to-june/

  17. ITs two years ago that I left the Labour party and maybe theres a leak at HQ from disgruntled staff that former members info as been flogged off for nefarious purposes.?I cannot think of any legitimate reason for the emails as I hadn’t heard from the Labour party for obvious reasons that I have not been a member for some years.Low and behold I have a long email?

  18. In a surprising move the USA’s Biden administration has put the Israeli NSO Group on a US blacklist after it determined the Israeli spyware maker has acted “contrary to the foreign policy and national security interests of the US”.
    The finding by the commerce department represents a major blow to the Israeli company and reveals a deep undercurrent of concern by the US about the impact of spyware on national security.

  19. At least we now know why the membership number never moved down even when we knew people were leaving in their thousands.

    1. lundiel – Yet more silly nonsense. The Labour party’s preferred method of reporting membership numbers is to include lapsed members for six months. I’m not saying that I agree with it but it is worth noting that this is the same method that was used throughout Corbyn’s tenure. We periodically get an insight into the actual number of fully paid up members from internal election returns.
      eg
      July 2017 – 538,606
      November 2017 – 525,779
      June 2018 – 506,320
      November 2019 – 430,359
      January 2020 – 552,835
      August 2020 – 495,961

Leave a Reply

%d bloggers like this: