More consequences of Labour’s cyberbreach

More consequences of Labour’s cyberbreach

The Labour Party can’t issue the ballots for their internal elections; they claim it’s a consequence of the cyber-breach last October.

The Party seems to have attempted to create a replacement membership database by updating its mail manager system and presumably adjusting the feeds although much of the functionality previously offered is no longer available and the feed from the financial system is now days or weeks out of date. We should note that the membership self administration tool is also now not available. The mail manager is obviously from observation slowly dying. It is known to be inaccurate; there are errors in terms of who it considers to be a member, their addresses, and their payment status.

The Party plans to replace this recovered system with an off the shelf package[1] from Microsoft. At the moment we are advised that it is unlikely that local party role holders will get access to this until next year.

Until then we have to use a known to be inaccurate database. From observing, presumably NEC authorised actions, it seems to be considered accurate enough to select councillor candidates and run trigger ballots. Procedure Secretaries have been told that they may not override the membership system even when variances are well known and provable. I question that this is legal in it breaches the duty to be accurate and not to automatically profile people.

What seems to be forgotten that is data protection rests on seven principles, Lawfulness, fairness and transparency · Purpose limitation · Data minimisation · Accuracy · Storage limitation · Integrity and confidentiality. Often too much or too little attention is paid to integrity and confidentiality and issues such as lawfulness, fairness, transparency and accuracy are forgotten.

They are running selections and triggers on data known to be inaccurate. This isn’t right.

This has taken 9 months to get here. While culpability for the breach may be questionable, not having a recovery plan and or not funding it is the fault of the Labour Party and thus its NEC. CEO’s have been fired for less.

Why was there no recovery plan? Did they do vendor due diligence on the member centre hosting provider, did they keep it up to date? Is there a risk register? Has the NEC or the risk committee approved the mitigations? In fact, what is the NEC doing about IT Risk? Is there a DPIA on reusing the mail system? Is there a DPIA on reusing the SAR Tool? Is there a DPIA on using the social media scanners they use? When will we get a data protection capability that protects members data from bad actors rather than from themselves?

Nine months failing to recover is shameful and unprofessional. NEC members should be asking why it has come to this and determine if they, through their inaction, are in fact culpable.


[1] This I consider to be wise, although they will need additional software modules to support Labour’s unique processes, such as donation monitoring. Although it seems they plan to customise the UI 🙁 …

Never rains …

Never rains …

A short note on Labour’s cyberbreach. Sienna Rogers at Labour List reports on the 3rd party victim of Labour’s cyber breach. The software is I believe provided by blackbaud, who usually provide this as software-as-service, and have been previously attacked, but Rogers states the system is run by Tangent which I believe to be a trading name for Tangent Marketing Services. This article in the Guardian (HTML/ .PDF ) reports (2007) on Labour’s award of the contract and identify Michael Green as the supplier CEO, although his wikipedia page suggest he’s moved on; he us still registered as a Director at Companies House, although the last set of annual accounts state he has resigned. Labour’s General Secretary at the time was Peter Watt whom wikipedia quote the BBC as saying he resigned “following the revelation that a property developer made donations to the party via three associates”. Tangent also appointed an ex-Party Director of Communications, Paul Simpson (HTML / .PDF) as it’s account manager for the Labour Party in 2009, although he left 4 years later.

This story adds to the questions that need to be answered, one of which is why the software and its run time contract has been in place for so long? Has it it been market tested, are the terms and conditions still appropriate?

When the leak was first reported, I wrote a piece on IT Vendor Management (also on my blog) and posed some question. I also wrote a short piece on Cyber-security and the NIST Cyber-security framework. In the first of these articles I described what a decent vendor management policy looks like, and how the use of international standards on IT security, (ISO 27001), and governance (COBIT) would help, as would having a National Executive Committee properly equipped, trained and interested.  …

On Cyber-security

On Cyber-security

I posted a note on cyber security on my linkedin blog. I post some pointers on the standards and controls needed to defend against a cyberattack and implement “adequate technical and organisational” protection. It looks and links at the NIST cyber-security framework and lists some of the necesary controls to implement a reasonable defence and prove “adequate technical and organisational” controls. If you do what I suggest badly, you might get away with it, if you do it well, you might stop and or recover from attacks.  …

Tory Conference Data Breach

Over the weekend, it seems to have been established that the Tory Party’s confence app suffers a major secutity flaw and that personal details of its users are available to all. While the BBC seem concerned that the ex-Foreign Secretary’s details are available, its of equal concern that all the journalists are also exposed. The maximum fine for any breach is €20m.

A further problem is that under the new laws, people who suffer a breach of rights no longer have to prove harm. This would seem to be a breach of rights and so will be treated at the serious end of the spectrum and there’s a low burden of proof.

Additionally I would add, this app It should have had a data privacy impact analysis and if deemed a high risk, permission needs to be sought from the ICO to deploy it.

The cyber-security controls should have been defined before and tested before and after the DPIA.

The Tories have 72 hours to notify the ICO of the breach and will need to consider remediation for each an every user impacted.

I am sure the ICO would not want the Tories to be their first case as they would like to have established a precedent based tariff; they wouldn’t want the governing party to be the precedent; expectations are that the ICO will be one of the more forgiving of the European data protection supervisory authorities. …

More on Brexit

More on Brexit

Many the implications of the vote to leave the EU has been exercising my mind. I have finally got my notes & thoughts to publish my initial views on the politics of the aftermath; this article attempts to limit itself to the events and thoughts of the first week after the referendum. I have published them as at the date I started my storify where I collected the sources I wanted to quote. This is because it is one of a planned series, I plan to follow up with a piece on immigration, one on Labour Party and Left unity and one on the mutation of capitalism and politics.

One of the reasons for my delay was that I was asked for a number of quotes in the IT trade press which took some writing time. I have posted the complete quotes as three articles in linkedin pulse, on Cybersecurity, Privacy & Trade and the single market, covering innovation, TTIP & Privacy and net neutrality. …