Apricorn has released findings from its annual Freedom of Information (FOI) requests to 27 local councils. It asked specifically about data breaches and device loss and discovered that 17 councils alone admitted to over 5,000 data breaches in 2023.
Jon Fielding, Managing Director, EMEA Apricorn, said, “We’re familiar with the fact organisations suffer data breaches, particularly those housing valuable customer data. That said, the excessive number of breaches being declared is concerning.
“These government organisations should be setting a precedent in terms of data protection. Whilst we know there is no silver bullet for preventing a breach, multiple steps and processes can be put in place to limit the risks of a breach.
“The councils should invest in comprehensive training programs to educate employees about the importance of safeguarding data and the proper protocols to follow in case of device loss or theft.”
Loss of devices leading to greater breaches
Councils are reluctant to publish information on data breaches. It took complex FOI requests to each council to get information on what had been lost and the risk of a data breach. Even where there were responses, the completeness of the data is questionable.
Almost 60% of the breaches were recorded at five councils. The worst performers are:
- Kent County Council – 734 breaches
- Surrey County Council – 665 breaches
- Norfolk Council – 605 breaches
- Warwickshire County Council – 495 breaches
- East Sussex – 490 breaches
Councils failing to track or protect devices
Not all councils bother to record the number or type of devices used to hold data. One of those was Lancashire County Council. This means it has no clue about the risk of data breaches from lost or stolen devices.
Surrey County Council is not much better. It said it did not track peripherals and that responsibility for memory sticks is down to individual departments. Asset management teams, therefore, have zero visibility into what devices are being used, where they are and what is on them.
One council that does track devices is Warwickshire County Council. However, it admitted that USB devices are not encrypted, which means that data on them is unprotected. It did say that “it relies upon the use of Multi-Factor Authentication (MFA) to be able to access its systems, whether that be laptop or mobile.” It also went on to say that all devices can be remotely wiped. That is great for laptops and desktops but not for USB drives.
Lost data has serious financial consequences
Councils are a prime target for cybercriminals, given the sensitive nature of the data they hold. It ranges from council tax bills to child protection, education and planning. For that reason, they have a statutory duty to protect that data.
Without a full and complete list of all devices capable of holding data, councils cannot track them. Furthermore, unless those devices are encrypted and/or capable of being remotely wiped, any device loss puts data at risk.
Data loss has serious consequences for councils. If found guilty, the fiscal penalties can be high. At a time when council budgets are already under extreme pressure, any fines from the regulator will have wider implications. It is not just councils who are at risk. When PII is lost, individuals are also at risk of financial and other consequences.
Enterprise Times: What does this mean?
Device control is an absolute necessity for a valid data protection policy. A major problem is that dozens of councils have no active approach to tracking and encrypting devices to protect data. These FOI requests have uncovered a shocking lack of interest, even complacency, by councils in data protection.
The Information Commissioners Office (ICO) regularly audits councils, generally with their consent. Where appropriate, it also audits based on complaints. Over the last two years, most audits have focused on FOI failures.
However, there has been an increasing number of audits looking at data protection. The majority have many Urgent or High-importance areas to address. Surprisingly, there has been no penalty action against government bodies, which seems strange when reading the audit findings.
It will be interesting to see if this changes or whether the ICO will continue its relaxed approach to just auditing government bodies.