Ceredigion Council data breach blamed on human error
Human error caused a data breach at Ceredigion Council. The breach resulted in in documents which contained personal and sensitive information being published on the council's website.
In the worst instances, these documents included detailed health information about local residents. Other information was also breached. This was considered lower risk and included names and addresses, company names and transactions for the sale of land.
However, while Ceredigion Council might consider this information to be low-risk, the devastation such negligence can cause can't be underestimated. Just having access to an individual's name and address can result in identity fraud.
Furthermore, one councillor has rightly raised the point that, for someone fleeing violence, the impact of such data falling into the wrong hands could "mean loss of life for somebody."
As such, some residents believe that the council is "playing down" the data breach.
Why did the breach happen?
The data breach came to light last August. But it is thought to have occurred when the authority's website was redesigned in 2013. This means that this sensitive information was at risk for years. The man who notified the council of the breach said he reported the same data on the council's old website as far back as 2007.
After looking into the breach, it seems that the problem occurred when documents were incorrectly moved to a new electronic management system. This happened in 2006.
The Information Commissioner's Office is due to report on the incident. Also, all records at the council are now verified by two people to evaluate whether they should be kept secret or not.
Local governments must do better
The violation at Ceredigion Council is similar to our experiences of data breaches at local authorities across the country. And, as in this instance, in most cases it is human error rather than cybercrime that is the biggest cause of data privacy violations.
Some examples of cases investigated by the ICO include where:
- The Royal Borough of Kensington and Chelsea was fined £120,000. This came after it unlawfully identified 943 people who owned vacant properties in the borough
- Nottinghamshire County Council was fined £70,000. This happened because it left vulnerable people's personal information exposed online for five years
- Islington Council was fined £70,000 for failing to keep up to 89,000 people's information secure on its parking ticket system website
- Basildon Borough Council was fined £150,000 for publishing sensitive personal information about a family.
The impact of a data breach can be very harmful
A data breach can lead to financial fraud and identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.
And, even if nothing has been done with that information, it doesn't mean the data is safe.
Working exclusively on data breach and cybercrime cases, it has become clear that the impact and losses people sustain following a data privacy violation are not always immediate. Indeed, in the Ticketmaster data breach, we are starting to see cases where the impact is only felt months later. This is often because data stolen is used in batches over time.
What's more, even if you haven't lost out financially after a data breach, this doesn't mean that there is no harm done. A data breach can lead to distress and psychological trauma. And, like financial losses, the full impact often isn't felt until much later.
What can you do to stop this from happening to you?
If you are concerned that your data might be at risk, either by Ceredigion Council, or another local authority, you can ask for a copy of the data the council holds about you. This is called a subject access request (SAR).
This won't guarantee that an error doesn't result in your information being exposed, but it is a reasonable safety precaution to take. You can also ask the council for a copy of their acceptable use policy and data protection policy.
Not just hackers
Our local governments were hit by almost 100 million cyber-attacks over five years. With one in four council systems successfully breached. Indeed, the sector has proved a lucrative target for hackers. Often because of a reliance on unsecured legacy software and a lack of preparation for dealing with cyber-attacks.
But, while the threat of cybercrime is something that the public sector needs to take seriously, human error remains the leading cause of breaches. And, these errors (which are just as likely to happen offline) must also be addressed.
At Hayes Connor, our expert solicitors deal with a significant number of local and national government data breach cases. During our work, we see many different types of claims. So we understand how data breaches can affect people in different ways.
For more advice on how to keep your data safe, follow our #NotJustHackers campaign on Twitter and Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you. Or give us a call on 0151 363 5895 to discuss your case in more depth.