UK Information Commissioner’s Office fine Gloucester City Council 100,000 pounds for exposing personal information to cyber attack

June 14, 2017 |

It is a critical part of maintaining data security to address vulnerabilities on a website as and when they become known.  That is requirement is included in all guidances put out by privacy commissioners.  Usually it is fairly straightforward task, updating programs, installing patches when a vulnerability is identified and responding to notices about threats.  Organisations should, but rarely, organise penetration testing.  In the United States there is a culture of engaging white hat hackers to test the cyber defences of government and organisations.

But protecting from well known vulnerabilities has to be a necessary minimum.  As The Gloucester City Council will now realise having been fined £100,000 for failing to repair a vulnerability, the Heartbleed flaw in software, in the council’s website.  This failure allowed a hacker to exploit the vulnerability in July 2014.  Sensitive personal information was accessed by hackers when they downloaded 30,000 emails from council mailboxes.

This failure to attend to basic data security procedures had very significant consequences.

In addition to the hefty fine there is the inevitable poor publicity in the Gloucester news, the BBC and  the Gazette among others.

The media release provides:

The Information Commissioner’s Office (ICO) has fined Gloucester City Council £100,000 after a cyber attacker accessed council employees’ sensitive personal information.

The attacker took advantage of a weakness in the council’s website in July 2014, which led to over 30,000 emails being downloaded from council mailboxes. The messages contained financial and sensitive information about council staff.

The attack exploited the ‘Heartbleed’ software flaw. Despite well publicised warnings from the ICO and the media, the council failed to repair the vulnerability in a timely manner, leaving personal information at risk and breaking data protection law.

Sally Anne Poole, Group Enforcement Manager at the ICO said:

“This was a serious oversight on the part of Gloucester City Council. The attack happened when the organisation was outsourcing their IT systems. A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack.”

The ICO investigation found that the council did not have sufficient processes in place to ensure its systems had been updated while changes to suppliers were made.

The attacker contacted them claiming to be part of Anonymous, a group known for attacks on websites.

Ms Poole added:

“The council should have known that in the wrong hands, this type of sensitive information could cause substantial distress to staff.

“Businesses and organisations must understand they need to do everything they can to keep people’s personal information safe and that includes being extra vigilant during periods of change or uncertainty.”

The Monetary Penalty Notice relevantly provides:

9.  From 7 April 2014, a vulnerability known as ‘Heartbleed’ received widespread publicity in the media. On the same date, a new version of the affected software (‘OpenSSL’) was released which fixed the

10. On 17 April 2014, Gloucester’s IT staff identified the Heartbleed vulnerability in its own systems as it was using an appliance known as ‘SonicWall’ which contained an affected version of OpenSSL. By that time, a patch for the affected software was available. Gloucester intended to apply the patch in accordance with its update policy.

11. However, Gloucester was in the process of outsourcing its IT services to a third party company on 1 May 2014, and updating the software to address the vulnerability was

12. On or about 22 July 2014, Gloucester sent an email to its staff warning them that Twitter accounts belonging to senior officers at Gloucester had been compromised by an

13. The same attacker responded to this email by stating that he had also gained access to 16 users’ mailboxes via the Heartbleed vulnerability in the SonicWall appliance that was used for routing traffic to Gloucester’s services.

14. In particular, the attacker was able to download over 30,000 emails from (among ot hers) –    offi cer ‘s mailbox.

19.The Commissioner finds that Gloucester contravened the following provisions of the DPA:

20. Gloucester failed to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data in contravention of the seventh data protection principle at Part I of Schedule 1 to the DPA

21. The Commissioner finds that the contravention was as follows. Gloucester did not have in place appropriate technical and organisational measures for ensuring so far as possible that such an incident would not occur, i.e. for ensuring that emails containing financial and sensitive personal information could not be accessed.

22. In particular, Gloucester did not have a process in place to ensure that during outsourcing of its IT services, the patch for the Heartbleed flaw was applied at the appropriate time.

23. This was an ongoing contravention from 8 April 2014 when a patch for the affected software was available, until Gloucester took remedial action on 22 July 2014.

24. The Commissioner is satisfied that Gloucester was responsible for this contravention.

…..

29. The attacker was able to download over 30,000 emails from (among ot hers) – officer’s The emails contained financial and sensitive personal information relating to between 30 to 40 former or current staff…The personal data that was obtained was clearly of interest to the attacker given the targeted nature of the attack. The mailboxes therefore required adequate security measures to protect the personal data contained in the emails.

30 .       This is all the more so when financial and sensitive personal information is concerned – in particular, as regards former or current staff who expected that it would be held securely. This heightens the need for robust technical and organisational measures to safeguard against unauthorised or unlawful access. For no good reason, Gloucester appears to have overlooked the need to ensure that it had robust measures in place to ensure that the patch was applied, despite contracting with a third party company that could have applied the patch before the attack.

  1. The Commissioner therefore considers that, by reference to the features of the contravention, it was of a kind likely to cause distress to Gloucester’s former and current staff if they knew that their financial and sensitive personal information … have been accessed by an unauthorised third party who claimed to be a member of the Anonymous group.
  2. Further, Gloucester’s former and current staff would be distressed by justifiable concerns that this information would be further disseminated even if those concerns do not actually materialise.
  3. In this context it is important to bear in mind that the attacker has not been identified and the emails have not been recovered.
  4. If this information has been misused by the person who had access to it, or if it was in fact disclosed to untrustworthy third parties, then the contravention would cause further distress to Gloucester’s former and current staff and damage,

35. The Commissioner therefore considers that, by reference to the features of the contravention, it was of a kind likely to cause damage and distress.

The Australian Privacy Commissioner could do worse than have regard to the weight given to the distress of those whose personal information has been accessed.  It would be no bad thing if he took high profile action against those who breached. Unfortunately in Australia the regulator is timid and declines to properly publish and highlight what action is taken.  As a consequence there is little ripple effect of any action he takes.

 

One Response to “UK Information Commissioner’s Office fine Gloucester City Council 100,000 pounds for exposing personal information to cyber attack”

  1. UK Information Commissioner’s Office fine Gloucester City Council 100,000 pounds for exposing personal information to cyber attack | Australian Law Blogs

    […] UK Information Commissioner’s Office fine Gloucester City Council 100,000 pounds for exposing pers… […]

Leave a Reply