Council hit with £100k fine after cyber attack during IT outsourcing

A city council has been hit with a £100,000 monetary penalty after leaving employees’ personal information vulnerable to a cyber attacker who exploited a flaw in the authority’s website.

Gloucester City Council said it was disappointed with the fine imposed by the Information Commissioner and is considering an appeal.

The Information Commissioner's Office said the background to the case was that from 7 April 2014, a vulnerability known as ‘Heartbleed’ received widespread publicity. On the same date, a new version of the affected software (‘OpenSSL’) was released that fixed the flaw.

Ten days later Gloucester City Council’s IT staff identified the vulnerability in its own systems as it was using an appliance known as ‘SonicWall’ which contained an affected version of OpenSSl.

A patch for the affected software was available, which Gloucester intended to apply in accordance with its update policy.

However, the council was in the process of outsourcing its IT services to a third party company on 1 May 2014 and updating the software to address Heartbleed was overlooked.

On or about 22 July 2014, Gloucester sent an email to its staff warning them that Twitter accounts belonging to senior officers had been compromised by an attacker.

The attacker responded to this email by stating that he had also gained access to 16 users’ mailboxes via the vulnerability in the SonicWall appplicance that was used for routing traffic to Gloucester’s services.

The ICO said the attacker was able to download over 30,000 emails from – among others – one officer’s mailbox. [The individual’s name was redacted]

Those emails contained financial and sensitive personal information relating to between 30 to 40 former or current staff.

The attacker claimed to be part of the ‘Anonymous’ group, which has been responsible for a series of publicity stunts and denial of service attacks on government and other websites.

In a monetary penalty notice, the ICO found that Gloucester had failed to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data, in breach of the Data Protection Act.

The watchdog added that the council “did not have in place appropriate technical and organisational measures for ensuring so far as possible that such an incident would occur, i.e. for ensuring that emails containing financial and sensitive personal information could not be accessed.

“In particular, Gloucester did not have a process in place to ensure that during outsourcing of its IT services, the patch for the Heartbleed flaw was applied at the appropriate time.”

Sally Anne Poole, Group Enforcement Manager at the ICO said: “This was a serious oversight on the part of Gloucester City Council. The attack happened when the organisation was outsourcing their IT systems. A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack.”

She added: “The council should have known that in the wrong hands, this type of sensitive information could cause substantial distress to staff.

“Businesses and organisations must understand they need to do everything they can to keep people’s personal information safe and that includes being extra vigilant during periods of change or uncertainty.”

Commenting on the monetary penalty, Jon McGinty, managing director of Gloucester City Council, said: “The council is very disappointed with this decision by the Information Commissioner, and is considering its position whether to appeal.

“The council takes the security of its data very seriously and remains of the view that it did take swift and reasonable steps in 2014 to prevent a data breach as soon as it was alerted to the existence of this hacking vulnerability and the availability of a security patch. The Heartbleed vulnerability was a threat to businesses for some time before a patch was issued by software providers."

He added: “There is insufficient evidence to show that the hacking event took place after the council became aware of the existence of the potential vulnerability. The council believes that the penalty issued by the ICO  will have a serious and detrimental impact on its finances, and the services that we will be able to provide to the residents of Gloucester in the future. The council has invested more than £1m over the past three years to further improve its IT security and remains vigilant to the threats that all businesses face on a daily basis.

“The council did account for the risk of this potential fine in its accounts for 2016-17 but nevertheless its payment will only result in money being taken away from the people of Gloucester and given to Treasury.”

The ICO has recently published a blog on how vulnerabilities in IT systems can leave organisations open to ransomware attacks.