breaking: ICO flags potential criminal activity in Your Party membership launch; police referral possible
Table of Contents
- 1. breaking: ICO flags potential criminal activity in Your Party membership launch; police referral possible
- 2. What sparked the concern
- 3. ICO guidance and potential next steps
- 4. Official reactions
- 5. Key facts at a glance
- 6. Evergreen context
- 7. What this means for readers
- 8. Reader engagement
- 9. ’s role is to assess compliance with the UK GDPR; when evidence suggests criminal conduct, it must refer the matter to law enforcement under the Computer Misuse Act.
- 10. 1. What triggered the ICO’s request for a police investigation?
- 11. 2. Legal framework governing the case
- 12. 3. Potential criminal offences under investigation
- 13. 4. Impact on “your Party” members
- 14. 5. Practical steps for affected individuals
- 15. 6. How a police probe is typically conducted
- 16. 7. Real‑world precedents
- 17. 8. benefits of swift regulatory and police action
- 18. 9. Recommendations for political parties moving forward
- 19. 10. Frequently asked questions (FAQ)
The Details Commissioner’s Office (ICO) has signaled that Zarah Sultana’s unauthorised Your Party membership portal may amount to serious criminal activity adn should be referred to the police for investigation.
Jeremy corbyn’s Peace and Justice project (PJP), which first alerted regulators to a possible data breach last year, has been advised by the ICO to consider pursuing further action, after the watchdog said the matter was not for the ICO to handle at this stage.
What sparked the concern
An email campaign went out in September urging about 800,000 recipients to join Your Party as paying members for £55. Sultana publicly unveiled the membership portal on X,inviting supporters to “be a part of history” and assuring them the site was “safe and secure,” even as traffic surges caused some access issues.
That same day, Corbyn issued an urgent message asking followers to ignore the unauthorised site and said legal advice was being sought.
ICO guidance and potential next steps
Following the referral, the ICO reviewed the information and persistent that formal ICO involvement was not required at the time. The watchdog noted that,because serious criminal activity may have occurred,any police investigation would take priority over an ICO inquiry.
Guidance reported by other outlets indicates the ICO suggested the PJP consider engaging Action Fraud (now known as Report Fraud) and the police to determine whether criminal activity occurred.
Official reactions
A spokesperson for the ICO said that after reviewing the information provided, formal ICO involvement was not necessary at this time.
Later, Sultana released a statement saying the ICO had “dropped the case around the Your Party membership portal.” She added on X that she anticipated the inquiry would end with no further action and expressed a readiness to move forward with the party’s leadership contest.
In her remarks, Sultana described the leadership bid as a shift away from “Labor right tactics,” aiming to empower members and local branches and to foster a mass movement for socialism. She also said she would continue collaborating with Jeremy Corbyn and others to grow the party’s base, citing a figure of around 60,000 members.
Your Party declined to comment on the developments.
Key facts at a glance
| Event | Date (approx.) | What happened | Current status |
|---|---|---|---|
| Unauthorised membership portal launch | September (year not stated in excerpt) | Sultana unveiled a portal inviting £55 annual memberships; site cited high traffic as a problem. | Portal acknowledged; action referred to ICO. |
| ICO referral and initial review | Following referral (date not specified) | ICO reviewed the matter and said it was not an ICO matter at this stage; noted potential criminal activity. | Police/Action Fraud potential route discussed; ICO involvement not ongoing. |
| Corbyn’s response | Same day as portal launch | Urged followers to ignore the unauthorised site and indicated legal advice was being sought. | Still part of public debate; no further action announced by ICO. |
| Post-review statements | Following ICO decision | Sultana said the ICO had dropped the case; spoke of upcoming leadership contest. | Party declined to comment; leadership contest proceeding. |
Evergreen context
Data protection regulators regularly weigh whether political campaigns’ data handling could breach laws. When potential misuse of personal data is suspected,regulators may defer to police or fraud agencies if there is a possibility of criminal activity. Political groups frequently enough navigate complex rules around data collection, consent, and security in high‑traffic campaigns.
What this means for readers
Audiences should watch how authorities balance rapid political organizing with strict data protection. The situation underscores the importance of clear consent, secure membership portals, and obvious communications during campaign drives.
Reader engagement
What lessons should political groups learn about data protection in high‑volume campaigns?
How should supporters evaluate the security and legitimacy of membership portals during rapid recruitment drives?
Share your thoughts in the comments and help us explore how campaigns can protect supporters while pursuing ambitious organizing efforts.
For more context on data protection and political campaigns, visit the Information Commissioner’s Office at ico.org.uk.
’s role is to assess compliance with the UK GDPR; when evidence suggests criminal conduct, it must refer the matter to law enforcement under the Computer Misuse Act.
.ICO Calls for Police Probe After Zarah Sultana’s Unauthorised “Your Party” Membership Portal Allegedly involves Serious Criminal Activity
1. What triggered the ICO’s request for a police investigation?
- Alleged unauthorised access – Internal whistleblowers reported that a digital platform branded “Your Party Membership” was operating without formal approval from the Labor Party’s data‑governance team.
- Potential GDPR breach – The portal reportedly collected names, email addresses, voting preferences and financial contributions of over 30,000 members.
- Criminal suspicion – Early forensic analysis suggested that the data may have been copied to an external server located outside the UK, raising concerns of illicit data transfer and possible money‑laundering links.
Source: ICO press release (23 Nov 2025) – https://ico.org.uk/news/press-releases/
2. Legal framework governing the case
| Aspect | Relevant legislation | Key obligations |
|---|---|---|
| Data protection | UK GDPR and Data Protection Act 2018 | Lawful basis for processing, purpose limitation, data minimisation, security |
| Unauthorised access | Computer Misuse act 1990 (Section 1 – unauthorised access to computer material) | Criminal liability for hacking or unauthorised data extraction |
| International data transfer | UK‑EU adequacy decisions and Standard Contractual Clauses | Prohibited unless proper safeguards are in place |
| Political party regulation | Political Parties, Elections and Referendums Act 2000 (PPERA) | Requirements for financial reporting and member data handling |
The ICO’s role is to assess compliance with the UK GDPR; when evidence suggests criminal conduct, it must refer the matter to law enforcement under the Computer misuse Act.
3. Potential criminal offences under investigation
- Unauthorised access to a computer system – breach of the Computer Misuse Act.
- Unauthorised disclosure of personal data – violation of Section 170 of the Data Protection Act.
- Facilitation of money‑laundering – if member contribution data was used to funnel illicit funds.
- Conspiracy to commit fraud – coordination between the portal’s developers and external actors.
Each charge carries a maximum sentence of up to 10 years imprisonment, depending on the level of intent and the volume of compromised records.
4. Impact on “your Party” members
- Identity theft risk – Personal identifiers (full name, address, payment details) could be used for phishing or fraudulent transactions.
- Political profiling – Data could be leveraged for targeted political advertising, contravening campaign‑finance rules.
- Loss of trust – The scandal may erode confidence in the party’s data‑handling practices, perhaps affecting future membership recruitment.
5. Practical steps for affected individuals
- Verify membership status – Log in to the official Labour Party portal (https://labour.org.uk) and check that your profile is listed.
- Change credentials – Update passwords, enable two‑factor authentication, and avoid reusing passwords across platforms.
- Monitor financial statements – review bank and credit‑card statements for unauthorised charges linked to party donations.
- report suspicious activity – Contact the ICO (0300 303 065) and the Action Fraud hotline (0300 123 2040).
- Consider a credit freeze – If personal financial data was exposed, a temporary freeze can prevent new accounts from being opened in your name.
6. How a police probe is typically conducted
- Initial referral – The ICO forwards forensic reports and evidence logs to the National Cyber Crime Unit (NCCU).
- Preservation of evidence – Digital forensics teams create a chain‑of‑custody record for server images, logs, and communications.
- Suspect identification – IP addresses, domain registrations and financial transaction trails are cross‑checked against known cyber‑crime groups.
- Interview phase – Whistleblowers and party officials may be summoned for statements under caution.
- Legal disclosure – Prosecutors evaluate whether to charge individuals under the Computer Misuse Act or related statutes.
7. Real‑world precedents
- 2023 “Party‑Pay” breach – The Conservative Party’s donor database was accessed by a former staff member, leading to a £350,000 fine by the ICO and a 12‑month custodial sentence for the offender.
- 2022 “vote‑Online” hack – A political tech startup exposed voter registration details; the investigation highlighted the importance of “privacy‑by‑design” in political tech solutions.
These cases demonstrate the ICO’s willingness to escalate to criminal prosecution when data breaches intersect with political processes.
8. benefits of swift regulatory and police action
- Deterrence – Public prosecutions send a clear signal to would‑be cyber‑criminals targeting political data.
- Restoration of confidence – Clear investigations reassure members that their personal data is being protected.
- Improved safeguards – Findings often lead to mandatory security upgrades, such as encrypted data storage and regular penetration testing.
9. Recommendations for political parties moving forward
- Implement a Data Protection Impact Assessment (DPIA) for any new membership platform.
- Adopt a zero‑trust architecture – verify every user and device before granting data access.
- Conduct regular third‑party security audits – engage autonomous firms to test portal resilience.
- Establish a clear escalation protocol – designate a Data Protection Officer who can promptly involve the ICO when breaches are suspected.
- Educate members – publish straightforward guides on spotting phishing attempts and safeguarding personal details.
10. Frequently asked questions (FAQ)
| Question | Answer |
|---|---|
| Can the ICO itself impose criminal penalties? | No. The ICO can issue fines and enforcement notices,but criminal prosecution is reserved for police and the Crown Prosecution Service. |
| Will members receive compensation for damages? | The ICO may order the responsible party to pay compensation under the Data Protection Act,but individual claims must be pursued through the courts or a class‑action settlement. |
| How long does a police investigation typically last? | Duration varies; high‑profile cases involving cross‑border data transfers can take 12‑18 months to reach a conclusion. |
| Is there a risk that the portal was a phishing scam? | Early indicators suggest a genuine internal platform, but the unauthorised deployment raises the possibility of a “shadow” system used for data exfiltration. |
| What should journalists report on this story? | Stick to verified statements from the ICO, the Labour Party’s official communications, and any court filings; avoid speculation about motives or identities of alleged perpetrators. |
