ICO fines council for data breach during outsourcing process

04 July 2017

The Information Commissioner’s Office (ICO) has fined Gloucester City Council (GCC) £100,000 after a cyber attacker accessed council employees’ sensitive personal information.

The attacker, who claimed to be part of the Anonymous hacking group, took advantage of a weakness in GCC’s website in July 2014. This led to more than 30,000 emails being downloaded from council mailboxes. The messages contained financial and sensitive information relating to around 35 former or current staff. The breach also resulted in Twitter accounts belonging to senior council officers being compromised.

The attack exploited the Heartbleed bug in OpenSSL and occurred when GCC was outsourcing its IT systems. In its penalty notice to the council, the ICO stated that Gloucester’s IT staff had identified the Heartbleed vulnerability in its systems by using a SonicWall appliance which contained an affected version of OpenSSL. By that time, the notice points out that a patch had been released to fix the flaw. But while the council intended to update its software using the patch, this ended up being overlooked during the outsourcing process.

The ICO investigation concluded that the council did not have sufficient processes in place to ensure its systems had been updated while changes to suppliers were made, and fined the organisation for contravening section 55A of the Data Protection Act 1998.

“Businesses and organisations must understand they need to do everything they can to keep people’s personal information safe, and that includes being extra vigilant during periods of change or uncertainty,” said ICO group enforcement manager Sally Anne Poole.