UK councils admit security failings with 1500 data breaches declared in 2022
Councils within the United Kingdom have disclosed almost 1500 data breaches and over 600 devices were lost or stolen during the course of 2022.
The findings come from Freedom of Information (FoI) requests submitted to local councils into the number of data breaches and security of devices held by their employees.
The research, conducted by Apricorn, the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives, found that Suffolk County Council alone, amassed 651 incidents between September 2021 and September 2022.
To add to that, Warwickshire County Council declared that they had 367 breaches, North Yorkshire County Council admitted to 259 breach incidents, Essex County Council disclosed 168, Oxford 31, and East Sussex 13 breaches between September 2021 and September 2022.
"Data breaches are a daily occurrence, but when local authorities are racking up hundreds in a very short space of time, it is a definite sign that something is amiss," says Jon Fielding, Managing Director, EMEA Apricorn.
"When the first breach occurs, organisations should be looking to address the cause and rectify this as soon as possible," he says.
"Flags should be raised, security processes checked, and checked again, and staff continually educated on cybersecurity best practice, whether that be highlighting the use of approved and encrypted storage devices, or simply changing passwords; it's all critical to the security of data."
In addition, 13 of the 27 councils questioned confirmed that they have had to disclose or inform the ICO of a data breach for reasons other than the loss or theft of devices, such as a cloud or supply chain breach.
"Though these figures are high, it does demonstrate that some of these authorities appear to be following the necessary protocols when it comes to disclosing date security incidents," says Fielding.
"That said, with so many significant breaches occurring, they do still have some way to go in terms of protecting the information and data they handle."
Positively, despite disclosing six data breaches and 55 lost and stolen devices, Kent County Council appear to have a thorough breach reporting strategy in place and were able to provide detailed information into all breaches. This included, but was not limited to, full details of the incident, those involved, the times the breaches were disclosed, the volume of data exposed, details of which of those breaches were escalated to the ICO and the current status of the incidents.
The Kent County Council disclosures highlight some common threats to data including; third party risks, user error and insider threats, with examples of ex-employees emailing information to a personal email address, network account compromise and a student accessing data on three staff drives.
Fielding says these are security breaches that can very easily be avoided.
"When employees are left to their own devices, even the best technical measures are likely to fail," he says.
"Government organisations, like any, must be proactive and ensure they are building stronger security cultures with defined policies and responsibilities for all staff members to follow.
"They should also apply encryption and endpoint control solutions to all devices, be it a USB stick, laptop, mobile phone or other. If these are then misplaced, critical information will remain secure."
Worryingly, Hampshire County Council also admitted to the loss and theft of more than 168 devices, yet the authority declined to provide details of any data breaches in that time. The findings were concerning given that previous reports have found that between 2016 and 2021, the authority reported 3,759 breaches caused by human error, with 891 of those between 2020-2021.
"Government authorities are obliged to respond to FoI requests, and whilst these can prove time consuming and costly in some instances, information surrounding data loss and cyber security incidents should be well documented if regulations are being adhered to correctly," Fielding says.
"If this information cannot be easily retrieved, processes need to be addressed in terms of data collection and storage, and policies need to be put in place."