Ceredigion Council data breach blamed on human error

data breach claims

A data breach at Ceredigion Council is being blamed on human error. The breach saw documents which contained personal and sensitive information published on the county council’s website.

In the worst instances, these documents included detailed health information about local residents. The other information breached was considered lower risk and included info such as names and addresses, company names and transactions for the sale of land.

However, while Ceredigion Council might consider this information to be low-risk, the devastation such negligence can cause can’t be underestimated.  Just having access to an individual’s name and address can put them at serious threat of identity fraud.

Furthermore, one councillor has rightly raised the point that, for someone fleeing violence, the impact of such data falling into the wrong hands could “mean loss of life for somebody.”

As such, some residents believe that the council is “playing down” the data breach.

Why did the breach happen?

Although the data breach only came to light last August, it is thought to have occurred when the authority’s website was redesigned in 2013. This means that this sensitive information was at risk for years. However, the man who notified the council of the breach said he reported the same data on the council’s old website as far back as 2007.

After looking into the breach, it appears that the problem occurred as the documents had been incorrectly under a new electronic management system in 2006. All records at the council are now verified by two people to evaluate whether they should be kept secret or not.

The Information Commissioner’s Office is due to report on the incident.

Local governments must do better

The violation at Ceredigion Council is similar to our experiences of data breaches at local authorities across the country. And, as in this instance, in most cases it is human error rather than cybercrime that is the biggest cause of data privacy violations.

Some examples of cases investigated by the ICO include where:

  • The Royal Borough of Kensington and Chelsea was fined £120,000 after it unlawfully identified 943 people who owned vacant properties in the borough
  • Nottinghamshire County Council was fined £70,000 for leaving vulnerable people’s personal information exposed online for five years
  • Islington Council was fined £70,000 for failing to keep up to 89,000 people’s information secure on its parking ticket system website
  • Basildon Borough Council was fined £150,000 for publishing sensitive personal information about a family.

The impact of a data breach can be very harmful

A data breach can lead to financial fraud and identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

And, even if nothing has been done with that information as yet, it doesn’t mean the data is safe.

Working exclusively on data breach and cybercrime cases, it has become clear to our solicitors that the impact and losses people sustain following a data privacy violation are not always immediately apparent. Indeed, in the Ticketmaster data breach, we are starting to see cases where the impact only became clear months later. This is often because data stolen is used in batches over time.

What’s more, even if you haven’t lost out financially after a data breach, this doesn’t mean that there is “no harm done.” A data breach can lead to distress and psychological trauma. And, like the financial losses, the full impact often isn’t felt until much later.

 What can you do to stop this from happening to you?

If you are concerned that your data might be at risk, either by Ceredigion Council, or another local authority, you can ask for a copy of the data the council holds about you. This is called making a subject access request (SAR). Find out more about making a SAR.

This won’t guarantee that an error doesn’t result in your information being exposed, but it is a reasonable safety precaution to take. You can also ask the council for a copy of their acceptable use policy and data protection policy.

Not just hackers

Our local governments were hit by almost 100 million cyber-attacks over five years, with one in four council systems successfully breached. Indeed, the sector has proved a lucrative target for hackers. Often because of a reliance on unsecured legacy software and a lack of preparation for dealing with cyber-attacks.

But, while the threat of cybercrime is something that the public sector needs to take seriously, human error remains the leading cause of breaches. And, these errors (which are just as likely to happen offline) must also be addressed.

At Hayes Connor, our expert solicitors deal with a significant number of local and national government data breach cases. During our work, we see many different types of claims and understand how data breaches can affect people in different ways.


For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.  Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.