Councils suffer 1500 data breaches in 2022

Suffolk County Council amasses 651 security incidents alone

Posted 20 April 2023 by Christine Horton

Councils within the UK have disclosed almost 1500 data breaches and more than 600 devices were lost or stolen during the course of 2022.

The findings come from Freedom of Information (FoI) requests submitted to local councils into the number of data breaches and security of devices held by their employees. The research, conducted by USB drive manufacturer Apricorn, found that Suffolk County Council alone, amassed 651 incidents between September 2021 and September 2022.

Warwickshire County Council declared that they had 367 breaches, North Yorkshire County Council admitted to 259 breach incidents, Essex County Council disclosed 168, Oxford 31, and East Sussex 13 breaches between September 2021 and September 2022.  

“Data breaches are a daily occurrence, but when local authorities are racking up hundreds in a very short space of time, it’s a definite sign that something is amiss,” said Jon Fielding, managing director, EMEA Apricorn.

“When the first breach occurs, organisations should be looking to address the cause and rectify this as soon as possible. Flags should be raised, security processes checked, and checked again, and staff continually educated on cybersecurity best practice, whether that be highlighting the use of approved and encrypted storage devices, or simply changing passwords, it’s all critical to the security of data.” 

In addition, 13 of the 27 councils questioned confirmed that they have had to disclose or inform the ICO of a data breach for reasons other than the loss or theft of devices, such as a cloud or supply chain breach.  

“Though, these figures are high, it does demonstrate that some of these authorities appear to be following the necessary protocols when it comes to disclosing date security incidents. That said, with so many significant breaches occurring, they do still have some way to go in terms of protecting the information and data they handle”, said Fielding.

Kent Council: ‘Thorough breach reporting’

Despite disclosing six data breaches and 55 lost and stolen devices, Apricorn noted that Kent County Council appears to have a thorough breach reporting strategy in place, and could provide detailed information into all breaches. This included, but was not limited to, full details of the incident, those involved, the times the breaches were disclosed, the volume of data exposed, details of which of those breaches were escalated to the ICO and the current status of the incidents. 

The Kent County Council disclosures highlight some common threats to data including third party risks, user error and insider threats, with examples of ex-employees emailing information to a personal email address, network account compromise and a student accessing data on three staff drives. 

“These are security breaches that can very easily be avoided. When employees are left to their own devices, even the best technical measures are likely to fail,” said Fielding. “Government organisations, like any, must be proactive and ensure they are building stronger security cultures with defined policies and responsibilities for all staff members to follow. They should also apply encryption and endpoint control solutions to all devices, be it a USB stick, laptop, mobile phone or other. If these are then misplaced, critical information will remain secure.”

Hampshire Council: Not disclosing details

Hampshire County Council also admitted to the loss and theft of more than 168 devices, yet the authority declined to provide details of any data breaches in that time. Previous reports have found that between 2016 and 2021, the authority reported 3,759 breaches caused by human error, with 891 of those between 2020-2021.

“Government authorities are obliged to respond to FoI requests, and whilst these can prove time consuming and costly in some instances, information surrounding data loss and cybersecurity incidents should be well documented if regulations are being adhered to correctly. If this information cannot be easily retrieved, processes need to be addressed in terms of data collection and storage, and policies need to be put in place,” said Fielding.

If this story is important to you, then you should be attending Think Data for Government on May 17th in Westminster.