FOI Request Reveals Scale of Data Breaches at UK Councils

UK councils have been hit by a staggering 33,645 data breaches caused by human error in the past five years, according to official figures.

The data, which was obtained following a Freedom of Information (FoI) request sent by VPNOverview to 103 county councils in the UK, also broke down the number of breaches suffered by each body. The local authority with the worst record for human-caused data breaches was Hampshire County Council, with 3759 incidents since 2016. This included 902 breaches in the year 2018/19.

Gloucestershire County Council had the next worst record, suffering 2723 breaches in this period. It also experienced the largest increase from 2016/17 (90) to 2020/21 (1004) of any UK council, a rise of 1016%.

Gloucestershire was followed by Lancashire (1260), Warwickshire (1252), East Sussex (1250) and Norfolk (1226). It was also noted that Lancashire did not have figures available for the year 2016/17.

In contrast, several councils experienced an extremely low number of data breaches caused by human error, with Armagh, Banbridge and Craigavon Borough (4) and Mid and East Antrim Borough (6) recording single digits. Derry City and Strabane District Council and Mid Ulster District Council – Dungannon recorded 10 data breaches over the five years.

The local authority with the most improved record over the period was Essex County Council, which achieved an 86% reduction in breaches from 2017/18 to 2020/21.

The figures are worrisome considering the highly sensitive data local authorities hold on citizens. This point has been raised by David Janssen, a cybersecurity analyst at VPNOverview: “Next time you’re thinking of applying for planning permission or even just asking for a second recycling bin – be aware of who you’re giving your data to and how it’s going to be handled.”

Several UK local authorities have experienced damaging cyber-attacks recently. These include Redcar & Cleveland Borough Council, which caused online public services to be unavailable for 135,000 locals for over a week, and Hackney Borough Council in London, after which sensitive data about staff and citizens was allegedly published on the dark web.

What’s Hot on Infosecurity Magazine?