Council authority data breaches and cyber-attacks increase
22nd September 2017
76 percent of local council authorities have experienced a
range of cyber-attacks and data breaches in the last 12 months
A comprehensive survey carried out by iGov Survey, which evaluated the concerns of senior figures within 38 local councils across the UK in June 2017, found 76 per cent of local government departments have experienced a cyber-attack and 50 per cent were victims of ransomware in the last 12 months.
Legacy software and a lack of confidence in how to deal with cyber-attacks are leaving local council authority data breaches dangerously high on the cyber-criminal agenda. The report also outlined a lack of understanding regarding cyber-attacks and how to combat them at a local government level. This has led to a decreased level of confidence in a number of the solutions currently employed to combat cyber-attacks. Most councils labelled their existing legacy systems as inadequate to deal with modern threats.
The survey, “Cyber Security: Threats and Opportunities Across Local Government” top findings include:
- Council authority data breaches are a key target for cyber-criminals, with 75.76% of those surveyed experiencing a malware, virus or Trojan attack in the last 12 months. 50% of those surveyed had also experienced a ransomware attack in the last 12 months.
- Legacy systems in local councils are a major cause for concern, 72% of respondents said it was either difficult or very difficult to successfully integrate new systems and applications. This illustrates that for many local government organisations old, outdated technology is having a negative impact on managing cyber-risk.
- Concerns with current technology was again raised with one-third of those surveyed stating they are not confident in their current solution’s ability to identify and remove suspicious traffic with the same number indicating their solution does not protect against zero-day threats including ransomware.
- 52.7% of respondents said that the complexity of cyber threats and the need to keep up with new developments is a concern.
- The top three concerns for local councils when it comes to a potential cyber-attack are: the loss of sensitive data (53%), financial repercussions (53%) and the expected impact on service delivery (41%).
These statistics clearly demonstrate a widespread failing in the confidence of council IT infrastructure. This is in part due to the lack of faith in legacy systems, further highlighted by the rise in cyber-attacks that expose extensive weaknesses.
It is evident that cyber security issues are becoming more prevalent, with external attacks on local council authorities increasing. However, the external data threats are intrinsically linked with the internal data threats, a combination that can potentially lead to hefty fines if procedures are not put in place and security technology is not upgraded.
Fines and consequences of council authority data breaches
The Information Commissioner’s Office (ICO) has recently fined Nottinghamshire County Council £70,000 for leaving elderly and disabled people’s personal data publicly available online for five years.
According to the ICO, the information included the gender, addresses and postcodes of 3,000 people. It also listed many people’s personal care needs and requirements, such as the number of home visits they receive per day and whether they had been or are still in hospital.
The information had been available online since July 2011, when the council launched its Home Care Allocation System, an online portal that allows social care providers to confirm that they were able to support a particular person.
There were no login credentials needed to access the portal, meaning anybody could access the data. This fact only came to light when a member of the public accessed the portal via a search engine and reported it.
ICO Head of Enforcement Steve Eckersley said: “This was a serious and prolonged breach of the law. For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.
“Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”
A pattern of data breach failures emerges
In July of this year the BBC reported that Newcastle City Council admitted a data leak, in the form of the details of thousands of children and their adoptive parents. Although no formal fine was incurred, the Information Commissioner’s Office (ICO) has the ability to levy a fine of up to £500,000.
The email attachment contained personal details relating to 2,743 individuals, including personal information such as names, addresses and birthdates. Fortunately, in this scenario, no financial details were included,
Basildon Council were also fined £150,000 for a data breach in May, when they released sensitive family data. The ICO stated that the council authority data breaches were in relation to a failure to remove the personal data and had breached the Data Protection Act when inadvertently publishing the information online.
Be pro-active instead of reactive
It’s not just brand reputation that’s on the line for local council authority data breaches but the confidentiality of all customer data. There is a moral and ethical responsibility beyond just keeping company data secure, as the general public rely on local councils to keep their personal information secure. This data security requirement is a necessity for both external and internal data threats, with both levying the possibility of fines by regulatory authorities (such as the ICO) as well as cyber ransom.
The extensive fines that the listed councils have incurred are just the tip of the iceberg in comparison to the potential fines that could be imposed when the General Data Protection Regulation (GDPR) takes effect on May 18th, 2018.