Labour has been reprimanded for a 2021 data breach. What about all the others?

This particular incident began in November that year and seems to centre on an unmonitored email account that was supposed to handle Subject Access Requests (SARs) – inquiries about personal data. These had increased after a cyber attack that apparently caused a different data breach in October of that year.

So the current reprimand from the Information Commissioner’s office isn’t about a breach in which personal details of thousands of members were apparently spirited away by persons unknown – but related to around 150 complaints about Subject Access Requests not being actioned properly.

This also is a long-term Labour failure. This Writer had to wait two years for Labour to respond to a Subject Access Request I made – after I left the party – as described here. And even then the response was unsatisfactory; most of the information had been blacked out because the party didn’t want me to see what its people had been saying about me.

In this particular case, according to the BBC,

A cyber attack on the Labour Party in October 2021 led to an increase in requests from the public, which it had an obligation to respond to within one month of receipt.

However, monitoring of a “privacy inbox” related to the attack ended in November the same year, with no response provided to about 646 SARs and 597 requests for the deletion of personal information.

Under data protection law, people have the right to ask an organisation if it is using or storing their personal information and receive a copy of any personal information held.

As of November 2022, the Labour Party had received 352 SARs, but 78% did not receive a response within the time limit of three months, and more than half (56%) were significantly delayed by more than one year.

The ICO reprimanded Labour for failing to comply with its legal obligations and ordered an action plan to deal with the backlog, including hiring sufficient staff.

Since then, the party has assigned three temporary members of staff to handle outstanding requests.

The ICO said the backlog had now been dealt with and Labour had implemented measures to ensure people received a prompt response in the future.

So Labour has dealt with a backlog of SAR requests – including some calling for personal data to be deleted, nearly three years after some of these requests were made.

You can understand why people were angry, can’t you?

But it gets worse – and I wonder why the BBC didn’t go back over the details of the “cyber incident” that led to those SARs in the first place.

I reported in November 2021:

The Labour Party has informed This Writer – and many others, it seems – that my data may have been hijacked after it was given to a “third party”.

This is very concerning for several reasons:

Firstly: I am no longer a member of the Labour Party and it should not be holding any information of mine, for any reason at all.

Secondly: I have not given permission for any data held by me to be passed on to any third party, and it is illegal for the Labour Party to have done so.

Next: The Labour Party has not passed on details of the identity of this mysterious third party. Why not? Is it embarrassing? Is it potentially incriminating? I want to know, and I reckon thousands of others will want to know as well.

Finally: Why am I hearing about this on November 4, possibly an entire week after the incident took place – and a day after many other victims were informed? Why were we not all informed at once?

According to Labour’s letter to affected people (which the party is apparently asking us not to share, although that part seems to have been cut from mine), party officers were informed of the incident on October 29.

This implies that the data was hijacked on a still earlier date, meaning that we went uninformed that our illegally-held data had been held by wrong-doers for a longer time than Labour suggests and that we have been vulnerable to cyber crime for all of that period without even knowing about it.

The crime itself seems to be a ransomware incident in which data is rendered inaccessible to a user unless it pays the hijacker some form of remuneration. If such payment is refused, the hijacker may go on to use the stolen data to harm the people to whom it belongs. Labour doesn’t mention this in its email.

Nor are we informed of the nature of the data that was stolen. It may include personal information that could be used for identity theft or blackmail, and/or financial information that could result in plain theft from our bank accounts. We don’t know because Labour hasn’t told us.

The email goes on to say that Labour has reported the incident to authorities including the National Crime Agency (NCA), National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO). No doubt those organisations are busy doing very little about it (I have experience of the ICO’s dawdling with regard to Labour Party data breaches; it says it has received so many reports about the party that it is swamped).

And we are told that the Labour Party “takes the security of all personal information for which it is responsible very seriously”, which seems plainly untrue, considering the fact that it should not have had any of my personal information at all.

One final point: Labour Party members may have no choice on who receives their information because party secretary David Evans and the leadership helmed by Keir Starmer demand that they automatically agree to everything the party does with it, as a condition of membership.

But I am no longer a member.

So the data breach meant information the party had kept illegally, about people like me who were no longer members, had been passed on to a third party who had then tried to ransom it – after it had been passed on to another third party (that was possibly run by associates of party secretary David Evans – cronyism again?) that should also not have had access to it.

That is bad enough, but in 2020 – a year before the ransomware incident and the start of the SAR incident – This Writer had already reported how Labour was habitually passing private information belonging to members and ex-members over to other organisations – like the press – of its own accord.

In that article, I discussed a Labour Party member’s revelation that she had learnt from the press that her membership had been suspended:

It is against the law for an organisation such as the Labour Party to share personal information relating to any member with a third party without the member’s consent.

That’s in the UK’s Data Protection Act(s) and in the General Data Protection Regulations to which the UK subscribes.

However, as we all discovered from the verdict in my court case last week (didn’t we?), the law doesn’t count if the organisation (in this case, Labour) can say with a straight face that the leak was carried out by a party officer without the knowledge of their bosses, and they do not know who was responsible for the leak.

The statement doesn’t have to be true. All Labour has to do is fail to provide any information to the contrary. And as the organisation controlling all the information, you can be sure that it won’t be forthcoming.

So Ms Regan found out from the press.

Jeremy Corbyn found out about his suspension from a photographer.

Nadia Whittome found out she had been sacked as a PPS from the Guido Fawkes blog.

There have been many more, back through the years to the moment when…

I found out about my own suspension from a reporter working at the Western Mail, on May 3, 2017.

Labour has been leaking damaging private information about party members to the press for more than three and a half years.

It isn’t legal. But it is clearly de facto party policy.

I wonder. Is it still Labour policy to leak information about out-of-favour party members to the press?

I suppose we’ll find out the next time someone finds out their membership has been suspended or terminated from a newspaper article.

In the meantime, I also wonder why those of us who have been affected already have not received financial compensation from Labour for its mistakes and the potential damage they have caused us.

And I wonder whether incidents like these are among the reasons Labour has haemorrhaged members since Keir Starmer took over as leader in 2020.

I mean, if you’re a Labour member, do you want your own personal-data dirty laundry hung up all over the national news media for everyone to see – especially if the information isn’t even true (as it wasn’t in my own case)?

And now this party is running the country.

It doesn’t exactly make you feel safe, does it?

---

Vox Political needs your help!
If you want to support this site
(but don’t want to give your money to advertisers)
you can make a one-off donation here:

Be among the first to know what’s going on! Here are the ways to manage it:

1) Register with us by clicking on ‘Subscribe’ (bottom right of the home page). You can then receive notifications of every new article that is posted here.

2) Follow VP on Twitter @VoxPolitical

3) Like the Facebook page at https://www.facebook.com/VoxPolitical/

Join the Vox Political Facebook page.

4) You could even make Vox Political your homepage at http://voxpoliticalonline.com

5) Join the uPopulus group at https://upopulus.com/groups/vox-political/

6) Join the MeWe page at https://mewe.com/p-front/voxpolitical

7) Feel free to comment!

And do share with your family and friends – so they don’t miss out!

If you have appreciated this article, don’t forget to share it using the buttons at the bottom of this page. Politics is about everybody – so let’s try to get everybody involved!

Buy Vox Political books so we can continue
fighting for the facts.
Cruel Britannia is available
in either print or eBook format here:

The Livingstone Presumption is available
in either print or eBook format here:

Health Warning: Government! is now available
in either print or eBook format here:

The first collection, Strong Words and Hard Times,
is still available in either print or eBook format here: