top of page

News & Views

UK Councils rack up 5,000 data breaches

Councils in the UK are continuing to rack up data breaches according to the findings from the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives Apricorn’s, latest annual Freedom of Information (FoI) responses into data breaches and device loss amongst 27 local councils.

The results highlight the significant number of breaches occurring within just 17 of the councils questioned and the threat to customer data with over 5,000 breaches recorded in 2023.  Most worryingly, Kent County Council declared 734 breaches alone between Jan 2023 and Dec 2023, with Surrey County Council amassing 665 and Norfolk Council not far behind with 605.  Other big losses included Warwickshire County Council (495) and East Sussex (490).

“We’re familiar with the fact organizations suffer data breaches, particularly those housing valuable customer data. That said, the excessive number of breaches being declared is concerning. These government organizations should be setting a precedent in terms of data protection.  Whilst we know there is no silver bullet for preventing a breach, multiple steps and processes can be put in place to limit the risks of a breach.  Councils need to invest in comprehensive training programs to educate employees about the importance of safeguarding data and the proper protocols to follow in case of device loss or theft,” says Jon Fielding, Managing Director, EMEA, Apricorn.  

The findings found that at Warwickshire County Council its devices are not encrypted and that the organization relies upon the use of Multi-Factor Authentication (MFA) to be able to access its systems, whether that be laptop or mobile.  “Whilst all devices have the capability to be remote wiped and all data can be either stored in applications and/or on shared network drives, this does not completely prevent the potential access to sensitive data should any of its devices fall into the wrong hands,” comments Fielding.

When questioned on how many USB devices had been lost or stolen, Surrey County Council said that its peripherals are not tracked and that memory sticks are departmental responsibility and are not tracked by asset management.  “Again, this is concerning as devices are not being accurately tracked and documented which could result in a major breach that the council would be unaware of if the items are unknowingly misplaced.”
 
“By implementing security tools and practices such as deploying removable storage devices with built-in hardware encryption, government departments can roll this out across the organization, ensuring all data can be stored or moved around safely offline,” says Fielding.  “Even if the device is lost or stolen, the information will be unintelligible to anyone not authorized to access.”
 
Of notable concern is the response from Lancashire County Council to questions about the number of lost and stolen devices within the organization.  The reply stated that it does not record/document this information, thus, putting them at risk of failed compliance with data protection regulations, such as the General Data Protection Regulation (GDPR) and posing a significant threat to customer data security.
 
Without proper records, the council may struggle to demonstrate accountability and transparency in handling sensitive information.  In the event of a data breach or loss, the council’s inability to track and report on lost or stolen devices could result in severe consequences, including financial penalties and reputational damage not to mention the harm to users from the loss of personally identifiable information (PII). This underscores the urgent need for the council to address its data management practices and implement robust measures to safeguard customer data.
 
“Failing to properly document and report lost, and stolen devices not only compromises the privacy and security of individuals’ information but also undermines the trust and credibility of the council,” comments Fielding.  “Lancashire County Council should prioritize the implementation of robust documentation procedures.  This includes promptly reporting incidents to the appropriate authorities, conducting thorough investigations, and taking immediate action to mitigate any potential data breaches and demonstrate commitment to protecting the privacy and security of its constituents’ data.”

Responses to Apricorn’s Freedom of Information requests submitted through Whatdotheyknow.com can be found
here.  
bottom of page