ICO will look into Edinburgh City Council data breach

Watchdog says it is aware of hack that lost 13,000 people's emails

The Information Commissioner's Office (ICO) has confirmed it will examine a data breach affecting Edinburgh City Council that exposed 13,000 people's email addresses.

Hackers managed to bypass the security of the local authority's website service provider on 3 July, stealing 13,134 email addresses.

The UK's data watchdog did not say whether it would launch an official investigation, but a spokesman told IT Pro: "We are aware of the incident at Edinburgh City Council and will be making enquiries."

No other personal data was lost in the attack, according to the council, which sent an email notifying victims of the breach that their email addresses had been stolen.

The authority wrote: "If you had a password for the website, as a precaution, we have reset your account and you will have to change your password the next time you log in.

"We are taking this incident very seriously. We have made sure that our service providers have reinforced the security of our website and we will continue to monitor security regularly."

While the attack was not as serious as others in which cyber criminals have accessed sensitive personal data, it may affect public trust in the council, according to one victim, William Buchanan, a professor at Napier University.

In a LinkedIn post, he said: "The current breach does not seem serious in terms of its possible impact on citizens, but could have serious implications on the trust levels of citizens with the council.

"It also comes at the same time as other public sector breaches, especially within healthcare, such as from East Sussex NHS Trust, and which involved a non-encrypted memory stick containing the details of over 3,000 patients."

The trust emailed victims to warn them their data, stored on a USB stick, had been lost, it emerged this week, but the memory drive was subsequently returned by a member of the public.

In the ICO's most recent annual report, the most data breaches reported to the ICO came from healthcare, with 439 incidents, followed by 125 local government incidents.

But network security firm Barracuda Networks warned the news highlights the issue of who is responsible for securing web applications - an organisation or its service provider?

Wieland Alge, vice president of EMEA, said: "The most important takeaway here is that just because your hosting service or CDN or cloud provider says that they provide 'a secure environment', it (almost) never means that they secure your web applications as well.

"That responsibility squarely falls on the responsibility of each individual business. Organisations should query their providers regarding web application security specific features and explore avenues of supplementing these."

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

Phishing attacks surge ahead of Black Friday and Cyber Monday
Security

Phishing attacks surge ahead of Black Friday and Cyber Monday

17 Nov 2020
Wisconsin Republican Party allegedly loses $2.3 million to hackers
hacking

Wisconsin Republican Party allegedly loses $2.3 million to hackers

30 Oct 2020
What is hacktivism?
hacking

What is hacktivism?

13 Oct 2020
Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020

Most Popular

80% of cyber professionals say the Computer Misuse Act is working against them
Security

80% of cyber professionals say the Computer Misuse Act is working against them

20 Nov 2020
Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
Weekly threat roundup: Cisco, BlueKeep, Apache Unomi
Security

Weekly threat roundup: Cisco, BlueKeep, Apache Unomi

19 Nov 2020