News

13.06.17

Council hit with £100,000 fine for data protection lapse

A council has this week been slapped with a £100,000 fine by the Information Commissioner’s Office (ICO) after a cyber-attack exposed sensitive personal information about its employees to hackers.

Over 30,000 emails were downloaded from mailboxes of people working for Gloucester City Council in July 2014, some containing financial and sensitive information about staff at the local authority.

The ICO also stated that the attack exploited the ‘Heartbleed’ software flaw, a security issue that allows individuals with the right know-how to access information being exchanged between individuals and some websites that were using a certain type of encryption software called OpenSSL.

This is despite the fact that the ICO sent explicit warnings to councils about the risk of ‘Heartbleed’ attacks around three years ago.

However, Gloucester City Council have told PSE that it is “very disappointed” by the decision by the ICO, and is considering its position whether to appeal the fine.

 “This was a serious oversight on the part of Gloucester City Council,” said Sally Anne Poole, group enforcement manager at the ICO.

“The attack happened when the organisation was outsourcing their IT systems,” she added. “A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack.”

Poole stated that the council should have known that in the wrong hands, this type of sensitive information could cause substantial distress to staff.

“Businesses and organisations must understand they need to do everything they can to keep people’s personal information safe and that includes being extra vigilant during periods of change or uncertainty,” she concluded.

Gloucester City council: fine will have detrimental impact on finances

But Jon McGinty, managing director of Gloucester City Council stated that the council did not agree with the decision, adding that the fine could have a detrimental impact on the authority’s finances.

“The council takes the security of its data very seriously and remains of the view that it did take swift and reasonable steps in 2014 to prevent a data breach as soon as it was alerted to the existence of this hacking vulnerability and the availability of a security patch,” he said.

“The Heartbleed vulnerability was a threat to businesses for some time before a patch was issued by software providers.”

“There is insufficient evidence to show that the hacking event took place after the council became aware of the existence of the potential vulnerability,” McGinty continued.

“The council believes that the penalty issued by the ICO will have a serious and detrimental impact on its finances, and the services that we will be able to provide to the residents of Gloucester in the future.

“The council has invested more than £1million over the past 3 years to further improve its IT security and remains vigilant to the threats that all businesses face on a daily basis.

“The council did account for the risk of this potential fine in its accounts for 2016-17 but nevertheless its payment will only result in money being taken away from the people of Gloucester and given to Treasury.”

Have you got a story to tell? Would you like to become a PSE columnist? If so, click here

Comments

There are no comments. Why not be the first?

Add your comment

 

public sector executive tv

more videos >

latest news

View all News

comment

Driving forward a healthier Scotland

10/11/2017Driving forward a healthier Scotland

Dundee City Council is leading the way in boosting electric vehicle (EV) up... more >
A smarter approach to digital transformation

10/11/2017A smarter approach to digital transformation

Catherine Bright, Smarter Digital Services (SDS) manager, explains how a pa... more >

editor's comment

25/10/2017Take a moment to celebrate

Devolution, restructuring and widespread service reform: from a journalist’s perspective, it’s never been a more exciting time to report on the public sector. That’s why I could not be more thrilled to be taking over the reins at PSE at this key juncture. There could not be a feature that more perfectly encapsulates this feeling of imminent change than the article James Palmer, mayor of Cambridgeshire and Peterborough, has penned for us on p28. In it, he highlights... read more >

last word

The importance of openness after Grenfell

The importance of openness after Grenfell

Following the recent Grenfell Tower tragedy, Lord Porter, chairman of the LGA, argues that if the public are going to have faith in the safety testing process then everything must be out in the open more > more last word articles >

interviews

‘The HSCN is the realisation of industry best practice’

30/06/2017‘The HSCN is the realisation of industry best practice’

Keith Smith, public sector business development manager at Virgin Media Bus... more >

the raven's daily blog

Visual.ONS: How to compete with the big data aggregators

13/11/2017Visual.ONS: How to compete with the big data aggregators

Advertisement feature Christopher Gallagher, territory manager at SAS, explains how big data can be used by the public sector to find innovative solutions to common probl... more >
read more blog posts from 'the raven' >

public sector events

events calendar

back

November 2017

forward
mon tue wed thu fri sat sun
30 31 1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 1 2 3
4 5 6 7 8 9 10

featured articles

View all News