In March 2019, the Police Federation of England and Wales (PFEW) suffered two separate cyber incidents:

1. On 9 March 2019, PFEW suffered a ransomware attack which impacted our headquarters.
2. On 21 March 2019, PFEW suffered a second, separate, ransomware attack which impacted the majority of local branches.

PFEW immediately instructed leading, external, and independent cyber forensics experts to help with its response (BAE Systems), as well as engaging extensively with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA), the National Police Chiefs Council (NPCC), and the Information Commissioner's Office (ICO).

Despite our IT system being down for several weeks, including email, we communicated the cyber incidents to members as soon as we could through local police forces and public communications channels and set up a helpline for anyone concerned about their data. This was a complex and challenging exercise.

What happened?

On the evening of 9 March 2019, PFEW suffered a ransomware attack which impacted our headquarters.

BAE Systems, a leading, external, and independent cyber forensics expert concluded that the initial entry point to PFEW’s network was via a newly configured server within PFEW's Microsoft Azure cloud environment. It is highly likely that the attacker was able to gain access to the server through a "password spraying" attack. This is where a list of common username and password combinations are used in an attempt to illegitimately and illegally gain access to a system or network.

Evidence shows that the duration between the first movement in the network and the deployment of ransomware was 1 hour and 30 minutes. This means that the attacker likely only had unauthorised access to PFEW’s network for this short period of time.

Cyber forensic experts were able to determine that the only activities being carried out by the attacker were: deleting data backups, trying to gather information about how the network is configured and determining how to bypass Antivirus defences. The forensic experts confirmed that no suspicious file system activity, which might indicate that data was being accessed or downloaded, was detected.

Accordingly, there is no evidence that the attacker accessed or downloaded, or was attempting to target, any personal data held by PFEW.

Second cyber incident

On 21 March 2019, PFEW suffered a second and separate ransomware attack. In this attack, “GandCrab” ransomware was used. This impacted our wider IT network, including local branches.

BAE Systems, who were still working with PFEW at the time of the second cyber incident, concluded that the entry point of the second attack was via a remote access support tool called Kaseya, which was used by an IT service provider. The malware had infected the systems of our IT supplier and migrated from its systems to PFEW’s systems. BAE Systems also concluded that PFEW was not the target of the attack but was one of several customers of the relevant service provider who also had Kaseya and were also impacted by the GandCrab ransomware.

BAE Systems also confirmed they had seen GandCrab ransomware deployed in a number of other attacks, in all of which no reports of any personal data being taken were found. Accordingly, there is no evidence that the attacker accessed or downloaded, or was attempting to target, any personal data held by PFEW.

What personal data did this affect?

There is no evidence that any personal data was accessed, downloaded, or targeted as a result of the cyber incidents.

The attackers' unauthorised access to PFEW’s network means that they had the theoretical ability to access certain personal data held by PFEW. However, all of the available evidence suggests that the cyber incidents were not targeted at personal data. In the three and a half years which have passed since the cyber incidents, there continues to be no evidence that any personal data was subject to any actual unauthorised access.

PFEW is confident that there was no actual impact on personal data as a result of the cyber incidents, beyond a small period of temporary unavailability at the time and whilst PFEW was working to get its systems back online.

Steps taken by PFEW

PFEW acted immediately to respond to the cyber incidents. A chronology of the work undertaken in the immediate aftermath of the cyber incidents can be found here.

Following on from the aftermath of the cyber incidents, PFEW worked with BAE Systems and Accenture to mitigate and understand the causes of the cyber incidents and has since moved to a completely new IT network built to a security standard similar to that of the Police National Network.