Council fined £100,000 after sensitive information ceased

Gloucester City Council has been fined £100,000 by the Information Commissioner’s Office (ICO) after a cyber attacker accessed council employees’ sensitive personal information.

Despite well publicised warnings from the ICO and the media, the council failed to repair a ‘Heartbleed’ software flaw, leaving personal information at risk and breaking data protection law.

The attack, which took place in July 2014, saw more than 30,000 emails being downloaded from council mailboxes, many containing financial and sensitive information about council staff.

The ICO investigation found that the council did not have sufficient processes in place to ensure its systems had been updated while changes to suppliers were made.

Sally Anne Poole, group enforcement manager, at the ICO said: “This was a serious oversight on the part of Gloucester City Council. The attack happened when the organisation was outsourcing their IT systems. A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack.”

In response, Jon McGinty, managing director of the council, said: “The council takes the security of its data very seriously and remains of the view that it did take swift and reasonable steps in 2014 to prevent a data breach as soon as it was alerted to the existence of this hacking vulnerability and the availability of a security patch.

“The Heartbleed vulnerability was a threat to businesses for some time before a patch was issued by software providers. There is insufficient evidence to show that the hacking event took place after the council became aware of the existence of the potential vulnerability. The council believes that the penalty issued by the ICO will have a serious and detrimental impact on its finances, and the services that we will be able to provide to the residents of Gloucester in the future.”