Data and securityCyber SecurityGloucester City Council fined by ICO for leaving personal information vulnerable to attack

Gloucester City Council fined by ICO for leaving personal information vulnerable to attack

The Information Commissioner’s Office (ICO) has fined Gloucester City Council £100,000 after a cyber attacker accessed council employees’ sensitive personal information

Gloucester City Council has been fined £100,000 by the Information Commissioner’s Office (ICO) after a cyber attacker accessed council employees’ sensitive personal information.

The attacker took advantage of a weakness in the council’s website in July 2014, which led to over 30,000 emails being downloaded from council mailboxes. The messages contained financial and sensitive information about council staff.

The attack exploited the ‘Heartbleed’ software flaw. Despite well publicised warnings from the ICO and the media, the council failed to repair the vulnerability in a timely manner, leaving personal information at risk and breaking data protection law.

Sally Anne Poole, Group Enforcement Manager at the ICO said: “This was a serious oversight on the part of Gloucester City Council. The attack happened when the organisation was outsourcing their IT systems. A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack.”

The ICO investigation found that the council did not have sufficient processes in place to ensure its systems had been updated while changes to suppliers were made.

The attacker contacted them claiming to be part of Anonymous, a group known for attacks on websites.

Poole added: “The council should have known that in the wrong hands, this type of sensitive information could cause substantial distress to staff.

“Businesses and organisations must understand they need to do everything they can to keep people’s personal information safe and that includes being extra vigilant during periods of change or uncertainty.”

The ICO has recently published a blog on how vulnerabilities in IT systems can leave organisations open to ransomware attacks to help UK businesses.

Related Articles

Government announces projects to boost diversity in cyber security

Cyber Security Government announces projects to boost diversity in cyber security

3w Austin Clark
Learning, development and diversity will help close the cyber skills gap in 2019

Cyber Security Learning, development and diversity will help close the cyber skills gap in 2019

4w Simon Hember
Top public sector tech trends in 2019

Change Management Top public sector tech trends in 2019

1m Gary Flood
Microsoft aims to boost public sector cloud security through new guidance

Cloud Computing Microsoft aims to boost public sector cloud security through new guidance

1m Austin Clark
Infographic: Cyber Security in 2019

Cyber Security Infographic: Cyber Security in 2019

2m Austin Clark
Cyber security is about much more than technology

Cyber Security Cyber security is about much more than technology

2m Austin Clark
Q&A: How cyber security is changing in the public sector

Cyber Security Q&A: How cyber security is changing in the public sector

4m Austin Clark
NCSC defends UK from more than 10 cyber attacks a week

Cyber Security NCSC defends UK from more than 10 cyber attacks a week

4m Austin Clark