Gloucester City Council fined £100,000 for “allowing” Heartbleed cyber-attack

Gloucester City Council fined £100,000 for “allowing” Heartbleed cyber-attack

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Gloucester City Council have let down employees after cyber-attackers accessed their personal details. The Information Commissioner’s Office (ICO) has imposed a monetary penalty of £100,000 for their reportedly lax attitude.

On 7th April 2014, there was the vulnerability known as ‘Heartbleed’ which gathered huge media attention. The vulnerability was quickly addressed as the affected software (‘OpenSSL’) was released which fixed the vulnerability. Unfortunately, the vulnerability was overlooked as Gloucester City Council was in the process of outsourcing its IT services to a third party company on 1st May 2014.

On 17th April 2014, the ‘Heartbleed’ vulnerability was found in Gloucester City Council’s system. They were aware of the vulnerability as they were using an appliance known as ‘SonicWall’ which contained an affected version of the OpenSSL. When the council knew of the vulnerability, there was a ‘fix’ readily available. They had the intentions of applying the ‘fix’ to the vulnerability in accordance with its update policy.

What information was breached?

Around 22nd July 2014, three months after the initial incident, Gloucester City Council sent an email to its employees informing them that some senior officers’ Twitter accounts had been compromised by a cyber-attacker. They also received a response from the cyber-attacker who notified them that he had infiltrated 16 users’ mailbox via the ‘Heartbleed’ vulnerability.

What is perhaps even more surprising is the fact that the cyber-attacker was able to download over 30,000 emails from an officer’s mailbox, who hasn’t been identified for data protection purposes. Within the 30,000 emails, the cyber-attacker was able to retrieve sensitive and financial information regarding 30 to 40 former or current employees at the city council.

Breach of Data Protection Act

The ICO gathered information and found Gloucester City Council has breached data protection principles.

In particular, the ICO finds that Gloucester City Council:

Failed to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data which breaches the 7th data protection principle.
Didn’t have in place appropriate technical and organisational measures that ensured an incident like this wouldn’t occur. For example, they should’ve ensured emails containing financial and sensitive information couldn’t be accessed.
Upon knowing of the ‘Heartbleed’ vulnerability, they didn’t immediately patch up the vulnerability, even though there was a ‘fix’ readily available at the time i.e. there was an ongoing breach from 8th April until 22nd July.
During its outsourcing of its IT services, they didn’t ensure that the vulnerability was applied at the time.

It’s clear that there should’ve been robust measures to safeguard the personal information of so many employees. There wasn’t a good enough exception that Gloucester failed to patch up the vulnerability, despite the fact that it could’ve been patched up before they outsourced their IT work.


On these grounds, the ICO is satisfied that Gloucester infringed upon the Data Protection Act and therefore issued a monetary penalty of £100,000.

Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.Information on how we handle your data is available in our Privacy Policy.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Contact is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon