A Medway Council data breach incident has been discovered by a security researcher after “rudimentary” tests found a bug in a system that may have exposed personal data.
Council data breach compensation claims are increasingly common these days, and a lot of it is likely down to a lack of investment in security and technology. One of the most common types of legal cases we take forward involve local authorities or the agencies they employ, and we regularly see these kinds of breach stories hitting the news.
In this case, it appears that an issue with an online inquiry form may have allowed anyone to access the personal information of some residents.
About the Medway Council data breach incident
The Medway Council data breach incident reportedly stems from a bug in an online inquiry form that’s a part of the Kent Channel Migration Project that’s aimed at encouraging greater use of technology.
It’s understood that this project has had some previous flaws and issues, resulting in delays. A security researcher has since discovered a flaw whereby the form could be manipulated to be able to access and edit the personal information for residents.
Data that has been at risk of exposure is thought to include names, email addresses and telephone numbers.
What’s being done about the breach?
In response to the Medway Council data breach incident, the council has self-reported to the UK’s data watchdog, the Information Commissioner’s office (ICO).
Residents whose information may have been exposed due to the flaw may need to be contacted as well. If the ICO finds that the issue is serious enough to issue a financial penalty, the local authority could be faced with having to pay a GDPR fine.
A spokesperson for the Council said:
“We would like to reassure residents this was an isolated issue with our inquiry forms, which involved web links being manipulated to gain access.”
In terms of how they quickly dealt with the problem:
“As soon as we became aware that a technical expert had gained access to some forms on our website, we immediately removed all potentially affected forms. We have also taken action to fully resolve the technical issue to avoid this happening again. We have provided the Information Commissioner’s Office with an initial report, and have steps in place to ensure all data is protected.”
A lucky escape?
Based on what we know so far, the Medway Council data breach incident may well be one of those lucky escape situations.
The issue was identified and reported by a security researcher as opposed to a hacker. Of course, we don’t know whether anyone else has been able to exploit the weakness, and it’s worrying that the issue was reportedly easy to identify with testing.
As more and more of these local authority data breach incidents occur, it seems clear that more funding is required from central government in order to ensure the data councils hold is safe and secure at all times.
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with an * are required.
First published by Matthew on July 30, 2019
Posted in the following categories: Council Cybersecurity ICO Security Technology and tagged with council | council data breaches | cybersecurity | database security | online security | personal data