<p>A police data breach in the UK shook Greater Manchester in late 2023, when a third-party supplier called Digital ID — the company making warrant cards and staff passes — got hit by a ransomware attack. Names, photos, warrant numbers, and serial numbers of over 12,000 officers and staff were suddenly in the hands of criminals. The same people tasked with catching hackers had their own identities exposed by one.</p>
<p>That’s not a hypothetical risk from a training slide. That actually happened.</p>
<p>The attack didn’t target GMP’s own network. It came through a supplier most people inside the force probably never thought twice about. A small company, handling sensitive personal data, with access nobody had properly audited. The <a href=”https://www.ncsc.gov.uk/guidance/supply-chain-security” target=”_blank”>National Cyber Security Centre</a> had been warning about supply chain risk for years before this. But warnings and action are different things.</p>
<h2>How a Police Data Breach in the UK Went Unnoticed</h2>
<p>What made this worse was the delay. Officers weren’t told straight away. The breach happened, internal conversations started, and for a period — some reports say a few days, others suggest closer to a week — rank-and-file staff had no idea their data was floating around. Undercover officers were particularly exposed. If you’re working covert operations and your real name gets leaked, that’s not an inconvenience. That’s a genuine safety threat.</p>
<p>GMP eventually confirmed the breach publicly in September 2023 and referred themselves to the ICO. But by then, the damage was already spreading across forums and encrypted channels. The irony of a police force — one of the largest in England — falling victim to the exact type of crime they investigate daily wasn’t lost on anyone in the industry.</p>
<p>I’ve worked with organisations that treat supplier onboarding as a tick-box exercise. They’ll spend months choosing a firewall vendor but hand employee data to a badge-printing company without a single security question. That’s the reality of how breaches like this happen.</p>
<h2>Supply Chain Attacks Are the Blind Spot</h2>
<p>The GMP breach fits a pattern we’ve been seeing more often. Attackers don’t bother trying to break into well-defended primary targets. They go after the smaller firms connected to them — the payroll providers, the HR platforms, the ID card printers. These companies often run leaner operations with fewer security controls, and they hold exactly the kind of data that makes an attack worthwhile.</p>
<p>Think about your own setup for a moment. How many third parties have access to your staff data? Your cloud backup provider, your managed print service, your recruitment agency — they all hold pieces of the puzzle. If one of them gets breached, it becomes your breach too, at least in the eyes of your employees and the <a href=”https://ico.org.uk/” target=”_blank”>Information Commissioner’s Office</a>.</p>
<p>Under GDPR, you’re responsible for the data you share with processors. That means contracts, audits, and ongoing checks — not just a data processing agreement signed once and filed away. Most small businesses I’ve spoken to don’t even know where their DPA documents are stored.</p>
<h2>What Your Business Should Actually Do</h2>
<p>Start with a supplier audit. Not a massive governance project — just a list. Who has access to your data? What data exactly? When did you last check their security posture? If the answer to that last one is “never,” that’s your priority this week. A <a href=”https://1st-it.com/cyber-security-audits/”>cyber security audit</a> can map out these gaps faster than you’d think.</p>
<p>Push your suppliers to show you their Cyber Essentials certification. If they don’t have one, ask why. If they can’t answer clearly, that tells you something. And make sure your own house is in order — because when the ICO comes knocking after a breach, “our supplier messed up” doesn’t get you off the hook.</p>
<p>The GMP breach also reinforced something I genuinely believe: most organisations overinvest in perimeter security and underinvest in data governance. We’ll spend thousands on endpoint protection but won’t spend an afternoon mapping where sensitive data actually lives. That imbalance is what attackers count on.</p>
<p>Review your <a href=”https://1st-it.com/data-protection-services/”>data protection practices</a> before a breach forces you to. Because the uncomfortable truth is that supply chain attacks aren’t slowing down, and no amount of internal hardening will help if the weakest link is a company you forgot you were sharing data with.</p>