Analysis comment Exclusive

Labour’s notification of data breach likely also broke data laws

Second email likely an attempt to cover for glaring omission in first

Labour’s data breach – revealed only yesterday despite the party knowing about it last week – when it outsourced members’ sensitive information to an outside company, apparently without members’ permission that was subsequently hacked – was notified by the party in an email from David Evans to hundreds of thousands of members.

That email also broke data laws.

The ‘GDPR’ data protection legislation introduced in 2018 requires any sender of emails to a mailing list to provide a clear and obvious method of unsubscribing from any further communications – but the email simply ends at ‘Kind regards, the Labour Party’, with no option at any point for readers to unsubscribe.

Recipients have also reported having left the party as long as a couple of years ago and receiving confirmation from the party that their data had been deleted at their request – and yet not only were apparent victims of the hacking of current data, but also still on Labour’s database in order for the party to send yesterday’s email.

Further emails without an opt-out were sent this morning.

Labour has still not identified the third-party provider that was subsequently hacked in a ‘ransomware’ attack, putting members’ sensitive data in the hands of criminals. The party has told victims they should not discuss the breach or mention it publicly.

SKWAWKBOX needs your help. The site is provided free of charge but depends on the support of its readers to be viable. If you can afford to without hardship, please click here to arrange a one-off or modest monthly donation via PayPal or here to set up a monthly donation via GoCardless (SKWAWKBOX will contact you to confirm the GoCardless amount). Thanks for your solidarity so SKWAWKBOX can keep bringing you information the Establishment would prefer you not to know about.

If you wish to republish this post for non-commercial use, you are welcome to do so – see here for more.


  1. I commented earlier my email does not request me to not discuss the data breach with others. There’s a link to a privacy email address I can use to contact the party with. However it does not contain the option of unsubscribing.

    I am awaiting a reply to my email asking the party to identify to me who this third party is. Who have been given personal information without my permission.

    1. I left too, and am also awaiting a reply as to why they retsined my data, guess we’ll be waiting a long time for a reply, they’ll prob attatch asomething to our data to mark out us troublemakers who have the audacity to question the stalinites

    2. I was expelled late summer/early autumn 2020.

      So could my data be at risk?

      1. Brian – Why don’t you write to the Labour party expressing your concerns and ask them. Of course things may alter as the investigations progress but from what has been revealed to date it seems none of us has much to fear from this ‘data incident’.

      2. Experience suggests that steveH’s advice here should not be relied on for any results. Many members have already been through such sorry excuses for a ‘process’ on any number of fronts and issues only to find themselves in a Kafkaesque loop of selective application of rules, due process and values by malevolent and incompetent sectarians.

        By all means go through the motions to satisfy the ICO process of giving the entity previously known as the Labour Party one calendar month to respond. But don’t hold your breath. Follow that up immediately with a direct email to the ICO requesting formal proceedings.

        Ditto with steveH’s naive and dangerous delusion that any risk is minimal. The data in question does not simply include mere contact details it will also include the information held by the principle organisation (entity formally known as the LP), the Third Party given access to it in a staggering example of criminal negligence, and now others equally malevolent but a lot less incompetent than the principle organisation, necessary to transfer membership fees between bank accounts.

        That means every members bank account details contained in this data is now potentially compromised. The level of malevolent incompetence and negligence on display here makes Bloody Stupid Johnson and the Tories look paragons of virtue and good governance in comparison.

        Those who seek to downplay this in implicit support for the indefensible are also culpable in defending a level of corruption of values which has undermined democratic choice. Such voices should be ignored for the charlatans and snake oil salesmen they are.

      3. Dave – As I said above.
        Of course things may alter as the investigations progress but from what has been revealed to date it seems none of us has much to fear from this ‘data incident’.
        To date we don’t know if any unencrypted data has been stolen.

      4. “what has been revealed so far”

        Another way of framing something as ‘move along, nothing to see here.’

        The pathetic excuses being trotted out to minimise the indefensible are becoming increasingly desperate and threadbare.

      5. Dave – Given what we know to date could you define the indefensible.

      6. In this instance/context the definition you are allegedly seeking can be found in the DPA and GDPR.

        I suggest you spend some time studying and getting suitably acquainted with them rather than going off half cocked (like the average tankie does) all the time.

      7. I’m already familiar with the legislation. Have been for some time. Your need is clearly greater than mine. I suggest you get on with it.

  2. It appears to me there were TWO emails and I suggest that the first of these (which
    refers to recipient as a colleague) was intended for Labour staffers but was mistakenly
    sent to some LP members.

    I only got the second which does NOT refer to me as a colleague or advise me not to
    comment on Social Media ..

    The email does not include “unsubscribe” option either ..

    Sheer incompetence I would say

    1. Have you considered that the lack of an unsubscribe option may have something to do with the party having a legal obligation to inform you. 🤔

  3. We need to know who the third party that held the data and what stare they taking to ensure this doesn’t happen again. David Evans should lose his job over this and Keir should resign over this shambles.

    1. Not stupid at all. A sensible question that demands an answer. If they approved it then they should all resign.

  4. I received the email although I’m not (and have never been) a member of the Labour Party – perhaps because I’m a member of an associated organisation? Or on various related email lists? Whatever I’d like to know which email list is associated with the data breach – soo I can get off it!

  5. It gets better.

    This isn’t the first labour member data breach. Blackbaud were hacked in May 2020. Went public two months later…

    …As the party revealed at the time, the breach included members’ names, email addresses, phone numbers, and amounts donated.

    While the party said immediately after the breach that no sensitive data like bank account information, passwords, or usernames were exposed, Blackbaud’s forensic investigation revealed that the threat actors had access to unencrypted banking info, credentials, and SSNs…

    That’s two data breaches in less than 18 months…

  6. Evans almost makes that nuckfugget dildo harding look nearly competent.

    But, that’s the standard you can expect from smarmite labour….Whether you’re subscribed, or not!

    This week, I shall spend (what would’ve been) my subscription fee, on cinder toffee, with it being bonfire night, and all.

      1. Much more enjoyable, but every bit as.bad for your teeth.

  7. In other news, paterson’s spewed it as an MP, citing he was ‘seeking a life outside the cruel world of politics’.

    Cruel? Lucrative beyond the wealth of Croesus, I think he means.

    It’d bring tears to a glass eye, so it would. 😒

  8. Well, at least we know why the membership never went down despite so many leaving. I’ve been gone nearly three years yet still got an email.

    1. Bloody hell! It seems everyone’s but me’s getting one. I’m starting to feel neglected. 😕

      1. Youve always been very good at creative details such as name and address Steve H centrist Dad davidh…SH….Steve Hall….You’re not any longer entitled to member but need to pay the increased cost of “international member of the Labour party.Can you at the very least show some honesty otherwise all your comments and votes are basically invalid

  9. Members of my family have received the email only ever having paid for the 3pound, and then 25pound vote in the leadership elections, so were registered as affiliate members back then. I wonder how long legally the party was allowed to keep their data for.

    1. No longer than necessary…..according to GDPR Rules….

      If you’ve left then it shouldn’t be necessary to keep it unless they’re selling it or wrongfully using it. They’re in big trouble.

      1. The only evidence I have seen of Labour selling members data is them charging each of the candidates in the 2020 leadership contests several thousand pounds each (+vat) for access to the membership database. Do you have any credible evidence that membership data has been sold.

  10. Yep, got the email. I left in Jan this year. GDPR states that data should not be retained for longer than necessary. I do wonder what sort of data they are still holding about me. If it includes bank details, I can foresee and very costly class action…

      1. Unfortunately experience of a lot of members is that asking such questions is, at best, the equivalent of chucking something into a black hole and at worst poking a malevolent entity with a sharp stick which is likely to result in disciplinary action.

        You might have a right to ask a question but those with the duty and responsibility to answer such questions – along, of course, with the Uriah Heep’s who cheerlead for and excuse them regardless of how malevolent, incompetent, criminally negligent and sectarian they act – clearly don’t accept that members have the right to a coherent, serious, relevant and acceptable answer.

        Unless one has got deep enough pockets to drag these charlatans kicking and screaming through the courts to provide an answer you might just as well submit a written request to a corpse.

        The only guarantee one has, even in those circumstances, is the steveh will bust a gut and die in ditch to excuse it.

      2. Dave – So that’s your excuse for doing nowt.
        If the Labour party refuses to answer legitimate questions then you can then ask the ICO to enforce the regulations, it won’t cost you a penny. However if you can’t be bothered to ask then you can’t complain.
        The choice is yours.

      3. In this instance the correspondence to the ICO was dispatched yesterday so I wouldn’t fret lad.

        Not that I’m holding my breath. Previous experiences (plural) of going around this loop have made clear that the ICO has little in the form of effective clout. In the absence of an avalanche of members flooding that body to the extent of being too many to ignore past precedence suggests the likelihood of institutional inertia rather than effective action being the order of the day.

  11. I left the Labour Party in January 2019. I wrote to them and explicitly told them to delete my personal data. Yesterday I received a “Notification of Data Incident” email from them…

  12. Claudia Webbe: MP convicted of harassment gets suspended sentence
    Claudia Webbe was expelled from Labour Party after being given suspended prison sentence.
    Last month Westminster Magistrates’ Court heard she made several calls over two years and threatened the woman with acid.
    Webbe was handed a 10-week sentence, suspended for two years, on Thursday.
    The 56-year-old made 16 calls to Michelle Merritt, a long-term friend of Webbe’s partner Lester Thomas, between September 2018 and April last year in a campaign of harassment borne out of jealousy, the court heard.

      1. Lots of people seem to be getting this email. Did you get one too or are you in my boat?

  13. For those who have left the party, they are still members for six months after that period if you’ve not paid your subs you’re no longer a member. Maybe they can keep your information for longer if you’ve had a case brought against you or you them. Otherwise this is going to be one hell of a crisis for the party as people sue them over what appears to have been a ransomware attack. A backup is not a backup if it’s only on one computer and questions need to be asked about any due diligence by the party to ensure the data is protected and properly backed up. David Evans should be made to resign at the very least and the third party involved holding the data should be made responsible for any damages the party incurs due to legal action taken against it.

    1. Christopher – The website seems to be working OK. I can log in and change my details.

      1. Joseph – Who is this Hall guy that you keep obsessing about?

      2. SteveH. I don’t think you’ve actually read my post correctly. David Evans should resign or be sacked.

      3. Christopher – I was responding to the part of your post where you intimated that the disaster recovery procedures were inadequate.
        “A backup is not a backup if it’s only on one computer and questions need to be asked about any due diligence by the party to ensure the data is protected and properly backed up.
        Given the very limited knowledge that we have about this ‘data incident’ what possible justification do you have for sacking Evans

      4. SteveH. As the head of the organisation the buck should stop with Evans. A backup is not a backup unless you use the principle of 3,2,1. 3 backups, 2 different different media & 1 offsite. This is standard for any reputable data storage company. If this is a ransomware attack that has been reported elsewhere, it may mean this strategy was not in place. So as leader of the organisation and GS, Evans has ultimate responsibility to keep members data safe and secure. If it is proved he played fast and loose with membership data, he should be sacked! This could cost the party a considerable amount of money from litigation and fines, as well damage to the party’s reputation that could utterly mean bankruptcy, yes, it’s that serious. He really should be sacked and so should the Head of IT if it is proven they made the decisions on outsourcing data storage.

    1. Referencing an earlier question the requirement which iamcrawford draws attention to here provides merely one example amongst others of what is reasonably defined as ‘indefensible.’

      You are welcome steveh.

      1. Dave – Why are you hiding behind ‘iamcrawford’
        Perhaps I’d give ‘iamcrawford’ contribution more credence if it linked to the original source material rather than a very selective out of context quote.

    2. That’s because you can’t be arsed to do your own homework steveh. Instead you expect everyone else to spoon feed you.

      It must be really sad to be so lacking in gorm, gumption and self reliance.

      Have you considered obtaining help from a therapist? If you can’t afford it I’m sure many people on this site would be more than willing to help out with a crowd funder.

Leave a Reply

%d bloggers like this: