Westminster has been rocked this week by the emergence of the breakaway Independent Group, but behind the political fallout has been another story: a potential data breach.
The Labour Party, which has so far lost eight MPs to the Independent Group, reported MP Joan Ryan to the Information Commissioner’s Office, claiming she had accessed Labour databases to contact members following her resignation.
Ryan, who became the latest Labour MP to join the Independent Group on Tuesday, denies the accusations.
Labour locks down its databases
Upon suspecting a data breach, Labour took swift action, locking down several databases, including one detailing all members of the party.
Labour general secretary Jennie Formby informed Labour staff, including MPs, about the action in a letter.
“In recent days…the party has become aware of a number of attempts to access personal data held on the party’s systems by individuals who are not, or are no longer, authorised to do so,” she wrote.
“Much of the data held on our systems tends to reveal individuals’ political opinions and is therefore ‘special category’ data, benefiting from enhanced protection under the legislation.”
This action was taken as part of the party’s attempts to adhere to GDPR and the Data Protection Act 2018, with a party spokesman saying that Labour takes its “data protection obligations extremely seriously”.
“We are aware that the information commissioner is taking an increasingly serious view of misuse of personal data and requires a data controller to take reasonable and proportionate steps to ensure the security of data held on its systems,” the spokesman added.
Independent Group data breach accusations
The accusations are essentially based on the notion that the new organisation – which denies it is a party, despite multiple characterisations as such – would find a database of engaged voters very valuable to its future growth.
However, as acquiring data in this way would be illegal, it is a very serious accusation, and is therefore understandable that the Labour Party would take action even if they are not certain that a breach occurred.
“GDPR expects data controllers, in this case the Labour Party, to ensure the security of the personal data they hold and this includes technical means.,” commented Anjola Adeniyi, technical account manager for Securonix.
“Identity and Access Management processes and technologies can come to aid here, especially as the biggest security threats are often on the inside of organisations.
“Likewise, the breakaway MPs suspected to be involved in this incident could be committing an unlawful act.”
Cybersecurity concerns for political parties
Of course, there are those suggesting that this is simply a new way for politicians to sling mud, suggesting the Independent Group data breach accusations could be merely baseless claims designed to make the politicians look bad.
However, the issue of political party cybersecurity is a very real prospect – with many predicting that these groups are likely to become increasingly popular targets from hackers due to the wealth of data they hold.
“Political parties will always be on a hacker’s radar so their security teams should never take their foot off the gas,” said Jake Moore, cybersecurity expert at ESET.
“Cyber criminals are usually motivated by either financial gain, political reasons, or the desire to cause damage.”
Whether there really was an Independent Group data breach will ultimately be a matter for the Information Commissioner’s Office. But while these accusations may prove to be unfounded, being ready to respond to any suspected data breach can only be a good thing for organisations such as the Labour Party.