Gloucester City Council have let down employees after cyber-attackers accessed their personal details. The Information Commissioner’s Office (ICO) has imposed a monetary penalty of £100,000 for their reportedly lax attitude.
On 7th April 2014, there was the vulnerability known as ‘Heartbleed’ which gathered huge media attention. The vulnerability was quickly addressed as the affected software (‘OpenSSL’) was released which fixed the vulnerability. Unfortunately, the vulnerability was overlooked as Gloucester City Council was in the process of outsourcing its IT services to a third party company on 1st May 2014.
On 17th April 2014, the ‘Heartbleed’ vulnerability was found in Gloucester City Council’s system. They were aware of the vulnerability as they were using an appliance known as ‘SonicWall’ which contained an affected version of the OpenSSL. When the council knew of the vulnerability, there was a ‘fix’ readily available. They had the intentions of applying the ‘fix’ to the vulnerability in accordance with its update policy.
What information was breached?
Around 22nd July 2014, three months after the initial incident, Gloucester City Council sent an email to its employees informing them that some senior officers’ Twitter accounts had been compromised by a cyber-attacker. They also received a response from the cyber-attacker who notified them that he had infiltrated 16 users’ mailbox via the ‘Heartbleed’ vulnerability.
What is perhaps even more surprising is the fact that the cyber-attacker was able to download over 30,000 emails from an officer’s mailbox, who hasn’t been identified for data protection purposes. Within the 30,000 emails, the cyber-attacker was able to retrieve sensitive and financial information regarding 30 to 40 former or current employees at the city council.
Breach of Data Protection Act
The ICO gathered information and found Gloucester City Council has breached data protection principles.
In particular, the ICO finds that Gloucester City Council:
| Failed to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data which breaches the 7th data protection principle. |
| Didn’t have in place appropriate technical and organisational measures that ensured an incident like this wouldn’t occur. For example, they should’ve ensured emails containing financial and sensitive information couldn’t be accessed. |
| Upon knowing of the ‘Heartbleed’ vulnerability, they didn’t immediately patch up the vulnerability, even though there was a ‘fix’ readily available at the time i.e. there was an ongoing breach from 8th April until 22nd July. |
| During its outsourcing of its IT services, they didn’t ensure that the vulnerability was applied at the time. |
It’s clear that there should’ve been robust measures to safeguard the personal information of so many employees. There wasn’t a good enough exception that Gloucester failed to patch up the vulnerability, despite the fact that it could’ve been patched up before they outsourced their IT work.
Penalty
On these grounds, the ICO is satisfied that Gloucester infringed upon the Data Protection Act and therefore issued a monetary penalty of £100,000.