Gloucester City Council has received a fine from the Information Commissioner’s Office (“ICO”) in the sum of £100,000 further to its employees’ personal sensitive information being unlawfully accessed in a cyber-attack.
In July 2014, a cyber-attacker exploited weaknesses in the Council’s website so as to gain access to and download 30,000 emails. Details of the Council’s employees’ personal information were set out in the same.
The Council were found to have broken data protection law as they left their employees’ sensitive information exposed and vulnerable to attack. This was despite the ICO providing warnings regarding the ‘Heartbleed’ software flaw, which the cyber-attacker abused to access the sensitive data. The Council were therefore found to have failed to rectify and repair the vulnerability within a timely manner.
The Group Enforcement Manager of the ICO, Sally Anne Poole, confirmed “[t]his was a serious oversight on the part of Gloucester City Council. The attack happened when the organisation was outsourcing their IT systems. A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack.”
The cyber-attacker claimed to be part of a group responsible for cyber-attacks, known as Anonymous. Upon review, the ICO found that the Council did not have the requisite processes in place to prevent such cyber-attackers gaining access. The Council should have ensured its systems had been updated whilst their suppliers were changed.
Sally Anne Poole then went on to say that “[t]he Council should have known that in the wrong hands, this type of sensitive information could cause substantial distress to staff. Business and organisations must understand they need to do everything they can to keep people’s personal information safe and that includes being extra vigilant during periods of change or uncertainty”.
Should you require assistance or have an enquiry regarding data protection please do not hesitate to contact us on 01908 660966 or feel free to email me at firstname.lastname@example.org.