While you might think local authorities would have appropriate protections in place to prevent a data breach from occurring, that isn’t always the case. Here’s why…

Data breaches occur on a seemingly daily basis, with organisations in all manner of different industries falling victim to cyber-attacks or committing avoidable mistakes that expose vast amounts of personal data.

The sheer quantity of data breaches that have occurred over the past few years indicate that no organisation is infallible and, as you’ll soon learn, that includes local authorities.

Local authority data breaches are much more common than many people may initially realise, and the effects on affected individuals have often proved to be devastating. In fact, it was reported that UK Councils reported more than 700 data breaches to the Information Commissioner’s Office alone.

Here, we discuss some of the most notable local authority data breaches that have taken place in the UK over the past few years. We’ll note what went wrong and how each authority responded to their shortcomings. Take a look…

5 UK Local Authority Data Breaches

New Forest District Council Divulge Details of Right to Buy Owners

On 31 August 2018, New Forest District Council received a request for a list of council housing in the area. Said request sought out a list of all former Council properties, including any that were purchased under the Right to Buy Scheme.

The request was put through the website www.whatdotheyknow.com (WDTK), which assists members of the public with Freedom of Information Act (FOIA) requests. These requests are then published online.

When an officer from New Forest Council responded to the request, they accidentally attached a spreadsheet with a tab that, when opened, contained a list of properties that had been purchased through the Right to Buy Scheme, as well as personal data belonging to individuals that purchased the properties. Incredibly, the breach was only discovered three years later in 2021!

The council responded by sending out letters to members of the public who had their data exposed, apologising for any distress caused.

Blackpool Council Expose Personal Details of HMO License Holders

In a very similar incident, Blackpool Council mistakenly revealed the personal details of hundreds of House in Multiple Occupation (HMO) license holders in 2018. This occurred after they responded to a legitimate Freedom of Information request, where a member of the public asked for a list of current HMO licenses issued for Blackpool.

The council provided more information than was necessary, including sensitive personal data such as dates of birth and contact details. This was freely available online until the mistake was noticed at the start of 2021 – a severe breach of the General Data Protection Regulation (GDPR).

Over 400 people had their personal details exposed and Blackpool Council were forced to self-report to the Information Commissioner’s Office.

Hackney Council Suffer Data Breach Following Cyberattack

In October 2020, Hackney council reported a data breach after they experienced what was described as a ‘serious cyber-attack’. Though few details were released regarding the exact nature of the attack, there were a number of further developments over time.

At the start of 2021, it was reported that the data stolen in the breach was published on the dark web for extortion purposes. The infamous criminal group known as Mespinoza took responsibility for publishing the data.

The Mayor of Hackney Council released a statement, saying: “I fully understand and share the concern of residents and staff about any risk to their personal data, and we are working as quickly as possible with our partners to assess the data and take action, including informing people who are affected.”

Somerset Council Reveal Email Identities of People with Positive Covid Results

Since the start of the Covid-19 pandemic, local authorities have been keeping track of anyone who has tested positive for the virus, contacting them where necessary. Of course, this is very sensitive data which needs to be handled very carefully – something Somerset Council failed to do.

At the end of 2020, a number of people who had tested positive for Covid-19 had their identities shared without their consent. This was down to a simple human error on the part of Somerset Council.

The Director of Public Health for Somerset contacted the otherwise unconnected group of people via email. However, every recipient was copied in, meaning each person’s email identity was revealed.

Bristol City Council Share Details of Families with Disabled Children

Bristol City Council also suffered an email-related faux-pas in 2020, after they contacted the primary carers of hundreds of disabled children, asking for their views on a new support service.

When sending an email to multiple recipients, the expected practice is to use ‘blind carbon copy’, or ‘Bcc’. However, the individual responsible for sending the email used ‘carbon copy’, so every other recipient, and the name of the disabled child, was visible to all.

Ann James, the Bristol City Council director responsible for children and families, apologised, stating: “The breach was caused by human error and I apologise unreservedly for any distress that this may have caused you or your family.”

A spokesperson for Bristol City Council also said: “Where staff have made a mistake the matter is addressed as a training issue, and where there have been failures in policy or process any necessary changes are made to reduce the risk of a similar incident occurring in the future.

“In addition to an internal investigation, the ICO will also provide recommendations which Bristol City Council will act upon.”