News, events, media, seminars and more
Legacy software and a lack of confidence in how to deal with cyber-attacks are leaving local council authority data breaches dangerously high on the cyber-criminal agenda. The report also outlined a lack of understanding regarding cyber-attacks and how to combat them at a local government level. This has led to a decreased level of confidence in a number of the solutions currently employed to combat cyber-attacks. Most councils labelled their existing legacy systems as inadequate to deal with modern threats.
The survey, “Cyber Security: Threats and Opportunities Across Local Government” top findings include:
These statistics clearly demonstrate a widespread failing in the confidence of council IT infrastructure. This is in part due to the lack of faith in legacy systems, further highlighted by the rise in cyber-attacks that expose extensive weaknesses.
It is evident that cyber security issues are becoming more prevalent, with external attacks on local council authorities increasing. However, the external data threats are intrinsically linked with the internal data threats, a combination that can potentially lead to hefty fines if procedures are not put in place and security technology is not upgraded.
The Information Commissioner’s Office (ICO) has recently fined Nottinghamshire County Council £70,000 for leaving elderly and disabled people’s personal data publicly available online for five years.
According to the ICO, the information included the gender, addresses and postcodes of 3,000 people. It also listed many people’s personal care needs and requirements, such as the number of home visits they receive per day and whether they had been or are still in hospital.
The information had been available online since July 2011, when the council launched its Home Care Allocation System, an online portal that allows social care providers to confirm that they were able to support a particular person.
There were no login credentials needed to access the portal, meaning anybody could access the data. This fact only came to light when a member of the public accessed the portal via a search engine and reported it.
ICO Head of Enforcement Steve Eckersley said: “This was a serious and prolonged breach of the law. For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.
“Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”
In July of this year the BBC reported that Newcastle City Council admitted a data leak, in the form of the details of thousands of children and their adoptive parents. Although no formal fine was incurred, the Information Commissioner’s Office (ICO) has the ability to levy a fine of up to £500,000.
The email attachment contained personal details relating to 2,743 individuals, including personal information such as names, addresses and birthdates. Fortunately, in this scenario, no financial details were included,
Basildon Council were also fined £150,000 for a data breach in May, when they released sensitive family data. The ICO stated that the council authority data breaches were in relation to a failure to remove the personal data and had breached the Data Protection Act when inadvertently publishing the information online.
It’s not just brand reputation that’s on the line for local council authority data breaches but the confidentiality of all customer data. There is a moral and ethical responsibility beyond just keeping company data secure, as the general public rely on local councils to keep their personal information secure. This data security requirement is a necessity for both external and internal data threats, with both levying the possibility of fines by regulatory authorities (such as the ICO) as well as cyber ransom.
The extensive fines that the listed councils have incurred are just the tip of the iceberg in comparison to the potential fines that could be imposed when the General Data Protection Regulation (GDPR) takes effect on May 18th, 2018.
London: 0207 438 2045
Manchester: 0161 797 8123