Editorial

UK councils rack up more than 5,000 data breaches in 2023

Freedom of Information request also suggests that Lancashire County Council is failing to meet data protection legislation through a lack of documentation.

Posted 11 July 2024 by Christine Horton


A new Freedom of Information (FOI) request shows more than 5000 data breaches occurred among 17 local councils in 2023.

The figures are from Apricorn’s annual FOI request to 27 local councils.

Of the councils that responded, Kent County Council declared 734 breaches alone between Jan 2023 and Dec 2023, with Surrey County Council amassing 665 and Norfolk Council not far behind with 605. Other big losses included Warwickshire County Council (495) and East Sussex (490).

“We’re familiar with the fact organisations suffer data breaches, particularly those housing valuable customer data. That said, the excessive number of breaches being declared is concerning,” said Jon Fielding, managing director, EMEA Apricorn.

“These government organisations should be setting a precedent in terms of data protection. Whilst we know there is no silver bullet for preventing a breach, multiple steps and processes can be put in place to limit the risks of a breach.

“The councils should invest in comprehensive training programs to educate employees about the importance of safeguarding data and the proper protocols to follow in case of device loss or theft.”

Warwickshire County Council noted that its devices are not encrypted and the organisation relies upon the use of Multi-Factor Authentication (MFA) to be able to access its systems, whether that be laptop or mobile. While all devices have the capability to be remote wiped and all data can be either stored in applications and/or on shared network drives, this does not completely prevent the potential access to sensitive data should any of its devices fall into the wrong hands.

Equally, Surrey County Council, when questioned on how many USB devices had been lost or stolen, noted that peripherals are not tracked and that memory sticks are departmental responsibility and are not tracked by asset management. Apricorn noted that this is concerning as devices are not being accurately tracked and documented which could result in a major breach that the council would be unaware of if the items are unknowingly misplaced.

“By implementing security tools and practices such as deploying removable storage devices with built-in hardware encryption, government departments can roll this out across the organisation, ensuring all data can be stored or moved around safely offline. Even if the device is lost or stolen, the information will be unintelligible to anyone not authorised to access,” said Fielding.

Lancashire County Council not logging missing devices

When questioned about the number of lost and stolen devices within its organisation, Lancashire County Council reportedly stated that it does not record or document this information. This, said Apricorn, puts it at risk of failed compliance with data protection regulations, such as GDPR and posing a significant threat to customer data security.

“Failing to properly document and report lost and stolen devices not only compromises the privacy and security of individuals’ information but also undermines the trust and credibility of the council,” said Fielding.

“Lancashire County Council should prioritise the implementation of robust documentation procedures. This includes promptly reporting incidents to the appropriate authorities, conducting thorough investigations, and taking immediate action to mitigate any potential data breaches and demonstrate commitment to protecting the privacy and security of its constituents’ data.”

Event Logo

If you are interested in this article, why not register to attend our Think Digital Government conference, where digital leaders tackle the most pressing issues facing government today.


Register Now