The Clop ransomware gang pwned a managed service provider with access to the UK’s Police National Computer, dumping data on its dark web leaks site – but officials deny that police data was compromised.
Dacoll, a Scotland-based MSP, was attacked in October by the notorious criminal crew. Reports surfaced in the Mail on Sunday newspaper over the weekend that the criminals had published information from the Police National Computer on their leaks site.
The paper claimed that data was harvested through illicit access to Dacoll’s systems when the company was subject to a ransomware attack back in October. A Dacoll subsidiary, NDI Technologies, advertises itself as “the leader for all things related to the Police National Computer.”
The PNC is the British police’s population database. Assembled piecemeal by police forces inputting data on crime suspects, witnesses, and others who come into contact with police for whatever reason, the elderly and opaque system is the state’s master record of arrests, criminal convictions, and more.
The Sunday newspaper claimed the stolen data included images from the national Automatic Numberplate Recognition (ANPR) system, a system that is separate from the PNC.
“Footage includes close-up images of the faces of drivers who have been snapped speeding,” claimed the report – although today an official spokesman played down the breach, claiming nothing was accessed from the PNC.
A Home Office spokesperson told The Register: “We are aware of a data breach involving Dacoll. No records from the Police National Computer have been accessed.”
The National Cyber Security Centre added: “We are aware of this incident and working with law enforcement partners to fully understand and mitigate any potential impact.”
Dacoll has a place on a half-a-billion-pound NHS framework contract. The company had not responded to The Register‘s enquiries by the time of publication.
Links to the stolen data had been deleted from the Clop gang’s Tor-hosted leak blog when The Register examined it today so it is not possible to verify the newspaper’s claims. We have seen a screenshot that appeared to show two British passports, which is in line with previous leaks of stolen data intended to coerce victims into paying ransoms to prevent more disclosures.
Ransomware researcher Brett Callow of infosec biz Emsisoft told The Register that deletion of the data may no longer be a sign of ransom payments – or non-payments.
“In the past I’d have said the removal was an indicator that Dacoll paid, but now I wouldn’t read anything into it. The gangs seem to be becoming more circumspect when it comes to releasing data,” he said. “Nobody is claiming responsibility for the attacks on Kronos, hospitals, etc. I suspect they believe that not publishing data may lessen the likelihood of them being ‘REviled’ by law enforcement/military cyber operations.
“I wouldn’t, therefore, be at all surprised if they simply took Dacoll’s data down when they realised how sensitive it was.”
Police raids in Ukraine during June, trumpeted by local coppers as a decisive strike against Clop, do not appear to have had the desired effect of forcing the gang offline. ®