An investigation into cybersecurity at UK public services revealed a large disparity in defense budgets, hundreds of website vulnerabilities and staff email addresses and passwords at one council posted in full online.
The ITV News investigation found that one UK council spent only £32,000 a year on cybersecurity. By comparison, another council – with a smaller population – had an annual cybersecurity budget of £1m, over 30 times larger.
The investigation also revealed that one hospital had only put aside £10,000 a year towards cybersecurity.
The investigation is withholding the names of the public institutions.
ITV News found that the cyber-attacks had caused real-life problems, including:
- Residents forced to leave their homes
- Canceled hospital operations
- Incorrect benefit payments
- Overcharged tax bills
- House sales falling through
- Repairs to council houses not being carried out
- Inability to apply for council housing
- Sensitive data leaked online
The investigation noted that various experts expressed concern to ITV News about a lack of clarity and standards for public services regarding cybersecurity.
In December of last year, Gloucester City Council’s servers were compromised by Russian hackers. Last month, it was reported that its IT systems are still not fully operational. The local authority set aside £380,000 ($514,000) to remediate and recover from the incident, according to reports.
In October of last year, it was reported that UK councils had been hit by a staggering 33,645 data breaches caused by human error in the past five years, according to official figures.
The data, obtained following a Freedom of Information (FoI) request sent by VPNOverview to 103 county councils in the UK, broke down the number of breaches suffered by each body.
The local authority with the worst record for human-caused data breaches was Hampshire County Council, with 3759 incidents since 2016. This included 902 breaches in the year 2018/19.
Gloucestershire County Council had the next worst record, suffering 2723 breaches in this period. It also experienced the largest increase from 2016/17 (90) to 2020/21 (1004) of any UK council, a rise of 1016%.
In January of this year, the UK government unveiled its first-ever cybersecurity strategy, which aims to protect essential public sector services from being shut down by hostile threat actors. Chancellor of the Duchy of Lancaster Steve Barclay announced £37.8m in funding to help local authorities boost their cyber-resilience. This will protect essential services and data, such as housing benefits, voter registration, electoral management, school grants and social care provision.
Oz Alashe, CEO and founder at behavioral security platform CybSafe, commented:
“The public sector is a potential gold mine for cyber-criminals, with personal and health information being a target for identity fraud and broader financial crime. The ITV investigation into public sector spending revealed a ‘disparity in defense budgets’ and many vulnerabilities, with one hospital spending just £10,000 a year on cybersecurity.
“Cyber-attacks pose a real threat to the public sector. According to ICO data analyzed by CybSafe, local government accounted for 10% of all cyber incidents in 2021 and 5% of total cyber-attacks, an almost 50% increase from the number of attacks in 2020.
“Realistic funding, along with the right strategies, is vital to safeguard employees and members of the public. Public sector organizations must take steps to not only raise awareness of new and emerging cyber threats but also provide effective security training and support.
“By equipping and empowering employees with the knowledge and know-how to spot and avoid attacks, the UK’s local authorities will be able to remain one step ahead. This isn’t just about technical defenses; it’s about supporting people in their day-to-day lives.”