Police Federation


What is ransomware?

Ransomware is a type of malware, which is malicious software that is designed to block access to a computer system unless a ransom is paid. Attackers have been utilising such malicious software to prevent businesses from accessing business-critical data. Even if businesses do pay the ransom, there is no guarantee that the attackers will provide the decryption key required to access the data.

Some ransom attackers seek to obtain personal data in order to add leverage to their ransom demands.

There is no evidence that this was the case with the 2019 cyber incidents PFEW suffered. In fact, the evidence indicated that this was not the motive of the attackers.

Law enforcement does not encourage or endorse the payment of ransoms and this position is supported by the UK's Information Commissioner's Office.

PFEW did not pay a ransom in either attack. 

What was the impact on member data?

Leading cyber forensic experts have confirmed that there is no evidence that any personal data was taken during the cyber incidents.

During the incidents, the attackers had the theoretical ability to access:

  • As part of the first incident, the National Membership Database, the Hotel Booking Database and the Claims Management Database.
  • As part of the second incident, local Branch Databases.

During the incidents, PFEW could not access the above databases for a period of time. PFEW's email system was also down.

How did we communicate the cyber incidents to members?

PFEW did everything it reasonably could to notify members of the cyber incidents, as quickly as possible. Keller Postman allege that PFEW failed to notify members of the cyber incidents and that this is a breach of the relevant data protection law. This is not correct.

Communicating the issue was not simple. PFEW's desire to communicate with members had to be balanced against the ongoing criminal investigation. The incidents were complex and it was necessary to investigate them carefully so that we could provide accurate information to members. It was also a considerable logistical operation, which had to be conducted carefully in collaboration with the National Police Chiefs Council (NPCC), the 43 separate branches of PFEW and local police forces.

PFEW's communications included the following:

  1. On 21 March 2019, a statement regarding the first cyber incident was issued publicly on PFEW’s website;
  2. On 21 March 2019, communications in relation to the first cyber incident were published on multiple social media platforms, including via PFEW’s Twitter account;
  3. On 22 March 2019, a second statement regarding the second cyber incident was issued publicly on PFEW's website, together with a list of FAQs;
  4. Between 22 March 2019 and 5 April 2019, a dedicated helpline was set up which could be used by any member that had queries regarding the cyber incidents;
  5. On 23 March 2019, communications were provided to The National Association of Retired Police Officers, together with a list of FAQs; and
  6. In the April/May 2019 edition of POLICE magazine, a communication was published prominently. This edition was made available via our website and in hard copy at all local branches.
  7. In addition, local branches also communicated the fact of the cyber incidents separately.

Why did PFEW oppose the anonymity order?

Keller Postman recently, and on behalf of its clients, applied for a blanket anonymity order to keep the identity of members bringing the claims secret. This application was made without PFEW being allowed to make any representations on its position in advance. The normal position is that English proceedings are conducted 'in public', in the interests of open justice. 

We noted that the order obtained was based on witness evidence that included a number of false statements concerning the personal circumstances of certain members. We raised this with Keller Postman and they voluntarily corrected their application and sought an amended order.

An amended order has now been made by the court such that members will be named in any action they bring against PFEW but their home addresses will be kept confidential.

PFEW would not object to any individual member who applied for anonymity on a sound legal basis, as is consistent with our wider approach to supporting anonymity in appropriate cases.

How long do members have to bring individual legal claims against PFEW?

PFEW will continue to consider individual claims from members who consider themselves to have suffered genuine distress as a result of the cyber incidents. If, after raising their proposed claim with PFEW, members feel strongly about issuing a legal claim, they are able to do so up until March 2025 if the claim is based on data protection law.


We use cookies on this website, you can read about them here To use the website as intended please... ACCEPT COOKIES