Wigan Council has experienced more than 80 data breaches in the past two years, according to figures released in response to a freedom of information request.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
The data shows that sensitive, confidential or otherwise protected information has been accessed or disclosed on a regular basis in an unauthorised fashion.
An internal review report presented to the audit, governance and standards committee earlier this year states that information security “still remains a high risk area” for the council, with continued data losses, despite officers from internal audit working with the council’s data protection officer on each occasion to ensure the breach was properly investigated, that adequate remedial action was taken and lessons learned are communicated widely.
“On each occasion the Information Commissioner’s Office (ICO) has been satisfied with the council’s response and has not enforced any form of penalty,” the report said.
Various reasons have been given to explain the missing data, according to a report by Wigan Today, including errors with information input, personal data being sent to the wrong address due to outdated information or technical error and IT systems being accessed incorrectly or when unauthorised.
According to the audit report, a burglary in 2017 led to the loss of council-held data, although it is not specified whether this information was held electronically or within physical documents.
Council assistant director for legal services Brendan Whitworth is quoted as saying the council continues to reinforce the importance of data security to all staff with relevant training.
He said data protection and information governance staff are now preparing for the General Data Protection Regulation (GDPR) compliance deadline on 25 May 2018.
In February 2018, an investigation by privacy campaign organisation Big Brother Watch revealed that UK local authorities face an average of 19.5 million cyber attacks a year, which equates to 37 cyber attacks or attempted breaches every minute on organisations that are accumulating growing troves of sensitive and personal information about citizens.
The report not only reveals an “overwhelming failure” by councils to report losses and breaches of data, as well as shortcomings in staff training in the past five years, but also that the problem is not confined to just a few councils.
Commenting on the Wiggan Council breaches, Raj Samani, chief scientist and fellow at security firm McAfee said it is yet another example of the agility of cyber criminal gangs giving them an advantage over public organisations.
“Despite Wigan Council working to investigate the cause of each breach and provide remedial action, it still has not been able to reduce the amount of data breaches,” he said.
According to Samani, for organisations to combat cyber criminals successfully, it is vital that they prioritise threat intelligence sharing in the immediate aftermath of an attack.
“With this in place, it will become much easier for organisations to predict the shape of the next attack, and ensure they have the right procedures in place when it happens,” he said.
Other security commentators have suggested that council implement automation processes to ensure that basic security tasks are performed routinely without needing human intervention.
Although human error is the main factor in making a cyber attack successful, the Big Brother investigation found that three out of four local authorities do not provide mandatory cyber security training to staff and 16% do not provide any cyber security training at all.
These findings raise concerns about the ability and commitment of local authorities to fend off cyber attacks, the report said, despite the fact that councils are collecting more personal information about citizens than ever, making them a growing target for cyber attacks.
“With councils hit by over 19 million cyber attacks every year, one would assume that they would be doing their utmost to protect citizens’ sensitive information,” said Jennifer Krueckeberg, lead researcher at Big Brother Watch.
“We are shocked to discover the majority of councils’ data breaches go unreported and that staff often lack basic training in cyber security. Local authorities need to take urgent action and make sure they fulfil their responsibilities to protect citizens.”