Case Studies

Council fined after hacked

by Mark Rowe

The data protection watchdog the Information Commissioner’s Office (ICO) has fined Gloucester City Council £100,000 after a cyber attacker accessed council employees’ personal information.

The ICO reports that the attacker took advantage of a weakness in the council’s website in July 2014, which led to over 30,000 emails being downloaded from council mailboxes. The messages contained financial and sensitive information about council staff.

The attack exploited the ‘Heartbleed’ software flaw. Despite well publicised warnings from the ICO and the media, the council failed to repair the vulnerability in a timely manner, leaving personal information at risk and breaking data protection law, the watchdog says.

Sally Anne Poole, Group Enforcement Manager at the ICO said: “This was a serious oversight on the part of Gloucester City Council. The attack happened when the organisation was outsourcing their IT systems. A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack.”

The ICO found that the council did not have sufficient processes in place to ensure its systems had been updated while changes to suppliers were made. The attacker contacted them claiming to be part of Anonymous, a group known for attacks on websites.

Ms Poole added: “The council should have known that in the wrong hands, this type of sensitive information could cause substantial distress to staff. Businesses and organisations must understand they need to do everything they can to keep people’s personal information safe and that includes being extra vigilant during periods of change or uncertainty.”

Background

The ICO has recently published a blog on how vulnerabilities in IT systems can leave organisations open to ransomware attacks.

The ICO has responsibilities set out in the Data Protection Act 1998. The General Data Protection Regulation (GDPR) is a new law that will replace the Data Protection Act 1998 and will apply in the UK from May 2018. The UK Government has confirmed that the UK’s referendum vote in June 2016 to leave the EU will not affect the start of the GDPR.

Comments

Adenike Cosgrove, Cybersecurity Strategy, EMEA at Proofpoint, a cybersecurity product company, said: “The Gloucester City Council breach serves as a reminder for security teams to patch vulnerabilities; ensure all third-party vendors and partners comply with rigorous security practices; and encrypt sensitive data to protect it, should it be intercepted. In this case, attackers accessed confidential information via the council’s website and internal emails. Both the email and web channels continue to be the favoured entry points for cybercriminals, because they are public-facing and relatively easy to exploit via vulnerabilities, social engineering, or some combination of the two. We expect to see more fines like this as the General Data Protection Regulation (GDPR) takes effect. Organisations must take stock now and have a good understanding of all personal data they host, where it resides and most importantly, take all the necessary steps to protect it from threat actors.”

And Paul Farrington, Manager, EMEA Solution Architects at Veracode, called it an unfortunate outcome for the council. “Vendors like Veracode in 2014, were offering free scans, with ‘no strings attached’. Such, was the importance of addressing Heartbleed, which is a highly exploitable vulnerability. The Council officials could have protected the 30,000 leaked email records without incurring any additional cost burden. There will be a variety of reasons why this vulnerability was not patched. Top of the list, will be the notion that that Council had outsourced the responsibility to a third-party IT provider to manage vulnerabilities. The reality however, is that you can’t outsource the obligation to protect the privacy of individuals. Whilst one might be able to cut costs by getting a firm to look after day-to-day tasks, the buck still stops with the data owner – in this case Gloucester City Council.

“This is a particularly relevant matter, given the recent WannaCry outbreak which exploited vulnerabilities in the Microsoft operating system and took down large swaths of the NHS IT network. A recent FOI request, issued by Veracode, revealed that nearly half of NHS Trusts scan for application vulnerabilities just once a year, it’s clear that large parts of the public sector are asleep at the wheel, when it comes to securing the software that runs our lives.”

Related News

  • Case Studies

    Vehicle tracking

    by Mark Rowe

    Gratte Brothers Ltd, a UK building service company, is using a tracking system on its vehicle fleet. Fleets belonging to the group’s…

  • Case Studies

    Cyber breach survey

    by Mark Rowe

    Over four in ten businesses (43 per cent) and two in ten charities (19pc) have experienced cyber-security breaches or attacks in the…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing