Names and photographs of up to 20,000 officers could have been exposed following a data breach affecting UK police forces.

Stockport-based Digital ID is the UK’s largest ID card supplier – serving some 30,000 customers across the country, a list that reportedly includes the Metropolitan Police and Greater Manchester Police, as well as various universities and NHS Trusts.

It’s now thought to have been the victim of a ransomware attack that exposed the personal details of around 20,000 people. What’s more, with the investigation still ongoing it’s feared that the real number of impacted individuals could creep even higher still.

The ongoing investigation means details around this specific cyber attack are scant, though Digital ID has confirmed it was the target, adding that an IT security incident “affected the company’s systems”. A spokesperson added that external consultants were brought in to investigate what data may have been leaked, and whilst all this was ongoing the company couldn’t provide further comment.

Due to the secrecy around the ongoing investigation it has not been officially confirmed whether this hack is related to or separate from another that also impacted Digital ID in recent weeks. This original breach exposed the names, ranks, photos, vetting levels and pay numbers belonging to officers and staff at the Metropolitan Police when the IT system of a Digital ID supplier was hacked.

Reassuringly, this latest breach doesn’t appear to have disclosed as much personal data, with reports claiming that only names and photographs were made available.

That said, Toby Lewis of Darktrace (and a former incident manager at the National Cyber Security Centre) told The Guardian there was still real cause for concern.

He warned: “If you’ve got a pass that’s been made by Digital ID then there is absolutely is the chance that your personal details that were used to generate that pass [have] been caught up in this ransomware attack and could eventually be leaked online if the company chooses not to pay the ransom.”

One saving grace could be that many clients buy ID card printers directly from the company, meaning it doesn’t handle as much data as if it printed everything in house. However, the Metropolitan and Greater Manchester police forces are not thought to be among this group – instead providing Digital ID the information to print passes on their behalf.