The UK Police Federation of England & Wales (PFEW) website was subject to a malware attack that it discovered on March 9, 2019. It appears that this was a ransomware attack; but the strain has not been announced.
“The malware is a type of malicious software which seizes and encrypts data. The matter is subject to an ongoing police investigation. We are unable to comment further,” said the PFEW in a FAQ released on Twitter yesterday.
The FAQ continues, “Back up data has been deleted and data has been encrypted and became inaccessible. Email services were disabled and files were inaccessible.”
The attack was not announced until 21 March in a statement that simply describes it as a malware attack. “We were alerted by our own security systems on Saturday 9 March. Cyber experts rapidly reacted to isolate the malware and prevent it from spreading,” it announced on Twitter.
It goes on to say the malware was quickly contained, and the incident reported to the data protection regulator (ICO) and the national crime agency (NCA). The criminal investigation is now being led by the NCA, while forensic analysis is being led by BAE Systems’ Cyber Incident Response.
The NCA alerted the cyber agency, NCSC, which has issued its own statement, including the comment, “The NCSC recommends those who have been affected be vigilant to suspicious emails, texts and phone calls.” While this is good standard advice, it does not preclude the possibility that some personal information may have been stolen during the attack.
“Whilst no evidence of data extraction has been found, the PFEW has been working with the NPCC, local forces and its individual branches to ensure as much information as possible is provided to those potentially affected,” said the PFEW.
The implication from this is that the PFEW is confident that no potentially harmful personal data was stolen. Had that been the case, it would have been bound under GDPR to notify those concerned ‘without undue delay’. In fact, it was 12 days before the organization publicly acknowledged the attack.
Although the PFEW reported the incident to the ICO in a timely manner, and rapidly enlisted the help of the NCA and BAE Systems, there are some questions over the delay in informing its users. “Whether they had a regulatory or legal need to inform the ICO isn’t clear,” comments Matt Walmsley, EMEA director at Vectra; “particularly if there has been no data breach. The launch of a criminal investigation may help salve anger and frustration but is unlikely to result in accurate attribution, never mind a conviction, even if they’ve called in their friends from the National Computer Crime Unit. However, their transparent reporting, even if it’s a number of days after the instance should be commended for its candor.”
David Emm, principal security researcher at Kaspersky Lab, is confident that the attack was a random, speculative ransomware attack rather than a targeted attack. “As with most ransomware attacks, the attack on the Police Federation of England & Wales seems to be the result of random, speculative activity, rather than a targeted attack. The motive is probably to extort money rather than steal data.”
He also believes that PFEW has responded well. “It looks like, in this instance, The Police Federation has absolutely done the right thing in preventing the further spread of the ransomware and notifying the relevant authorities in a timely manner. Being able to quickly respond to such an attack and inform affected parties is also being a key consideration for organizations faced with an ever-growing multitude of threats, especially as the public becomes increasingly aware of the risks to their data should an organization be compromised.”
Nevertheless, taking 12 days to notify its own members is raising eyebrows.
SecurityWeek contacted the PFEW and BAE Systems to see if any more information is available, but at the time of writing, we have not had a reply.
Related: Aluminum Giant Norsk Hydro Hit by Ransomware
Related: Ransomware: Where It’s Been and Where It’s Going