Cyber security across local councils is ‘disjointed and under-resourced’

In the wake of the coronavirus (Covid-19) pandemic, we’ve been spending more time online. As a result, more of our personal data is also online. There’s also been an increase in certain kinds of cyber attacks since the start of the pandemic. According to an Interpol report, cybercriminals are beginning to target “corporations, governments and critical infrastructure”.

And this is affecting councils in the UK too. Because, as reported by Alex Scroxton in ComputerWeekly.com, Freedom of Information (FoI) requests show:

UK councils reported more than 700 data breaches to the Information Commissioner’s Office (ICO) during 2020

But the damage is not limited to councils. Because a number of healthcare providers have also been hit by similar data breaches.

Damage done

The FoIs were disclosed to security services provider Redscan. In Scroxton’s article, he explained:

Redscan received responses from over 60% (265 of 398) of borough, district, unitary and county councils in England, Scotland, Wales and Northern Ireland,

The security company found evidence that UK local government cyber security is “by and large, disjointed and under-resourced”. And responsibility for local government rests with central government. According to a report commissioned by the Local Government Association (LGA), as of 2020, “local authorities will have faced a reduction to core funding from the Government of nearly £16 billion over the preceding decade”. Meanwhile the data of private citizens is at risk.

So these are real concerns. Because according to Redscan’s chief technology officer Mark Nicholls:

Every council has thousands of citizens depending on its services daily. Going offline due to a cyber attack can deny people access to critical services. To minimise the impact of data breaches, it is important that councils are constantly prepared to prevent, detect and respond to attacks.

However, according to Nicholls:

While our findings show that councils are taking some steps to achieve this, approaches vary widely and, in many cases, are not enough.

So because data held by councils is at risk from cybercriminals, people need assurances that their data is safe.

Previous attacks on councils

Unfortunately, data breaches are far from uncommon. As reported by The Canary in June 2020, a subsidiary of Kent County Council, Kent Commercial Services (KCS), was hit by a ransomware attack. The attackers sent KCS a ransom note demanding £800k in Bitcoins.

Ransomware is software used by cybercriminals to gain access to information on computers. The criminals ensure the computer is inaccessible so they can steal, delete, or encrypt that information. Cybercriminals then ask the computer user to pay a ransom to get the information back.

In February 2020, Redcar and Cleveland Council suffered a similar attack to KCS. That meant over 135,000 UK residents didn’t have access to online public services for almost one week. That included services related to social care and housing complaints. According to ComputerWeekly.com 10 councils, including Redcar and Cleveland, reported disruption to daily operations in 2020 as a result of a breach or ransomware attack.

Attacks on healthcare

In May, an Edinburgh mental health clinic was hit by a phishing scam. The scammers were able to access email addresses. Also in May, “a gaping security hole” was discovered in the NHS’ vaccination booking website. This “hole” could have been used “to find out whether someone has received a jab”.

On 14 May this year, the Irish Health Service Executive (HSE) also suffered a ransomware attack. The Irish government says it didn’t pay a ransom. However, the HSE chief executive estimated the attack could have a human costs as well as a cost of around €0.5bn.

Protect our data

These data breaches and attacks on councils and healthcare reveal how vulnerable personal data can be. It also highlights that in a world of increasing online presence, we need to be extra vigilant about where and with whom we share our data. But ultimately, the onus of ensuring local councils are fully resourced to manage our data is on the government.

Featured image via Unsplash – FLY:D