Partner Article
Councils admit security failings with almost 1500 data breaches declared in 2022
Suffolk County Council amass 651 security incidents alone
Manchester, UK – April 19, 2023 – Councils within the UK have disclosed almost 1500 data breaches and over 600 devices were lost or stolen during the course of 2022. The findings come from Freedom of Information (FoI) requests submitted to local councils into the number of data breaches and security of devices held by their employees. The research, conducted by Apricorn, the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives, found that Suffolk County Council alone, amassed 651 incidents between September 2021 and September 2022.
To add to that, Warwickshire County Council declared that they had 367 breaches, North Yorkshire County Council admitted to 259 breach incidents, Essex County Council disclosed 168, Oxford 31, and East Sussex 13 breaches between September 2021 and September 2022.
Jon Fielding, Managing Director, EMEA Apricorn, commented: “Data breaches are a daily occurrence, but when local authorities are racking up hundreds in a very short space of time, it’s a definite sign that something is amiss. When the first breach occurs, organisations should be looking to address the cause and rectify this as soon as possible. Flags should be raised, security processes checked, and checked again, and staff continually educated on cyber security best practice, whether that be highlighting the use of approved and encrypted storage devices, or simply changing passwords, it’s all critical to the security of data.”
In addition, 13 of the 27 councils questioned confirmed that they have had to disclose or inform the ICO of a data breach for reasons other than the loss or theft of devices, such as a cloud or supply chain breach.
“Though, these figures are high, it does demonstrate that some of these authorities appear to be following the necessary protocols when it comes to disclosing date security incidents. That said, with so many significant breaches occurring, they do still have some way to go in terms of protecting the information and data they handle”, said Fielding.
Positively, despite disclosing six data breaches and 55 lost and stolen devices, Kent County Council appear to have a thorough breach reporting strategy in place and were able to provide detailed information into all breaches. This included, but was not limited to, full details of the incident, those involved, the times the breaches were disclosed, the volume of data exposed, details of which of those breaches were escalated to the ICO and the current status of the incidents.
The Kent County Council disclosures highlight some common threats to data including; third party risks, user error and insider threats, with examples of ex-employees emailing information to a personal email address, network account compromise and a student accessing data on 3 staff drives.
“These are security breaches that can very easily be avoided. When employees are left to their own devices, even the best technical measures are likely to fail. Government organisations, like any, must be proactive and ensure they are building stronger security cultures with defined policies and responsibilities for all staff members to follow. They should also apply encryption and endpoint control solutions to all devices, be it a USB stick, laptop, mobile phone or other. If these are then misplaced, critical information will remain secure”, commented Fielding.
Worryingly, Hampshire County Council also admitted to the loss and theft of more than 168 devices, yet the authority declined to provide details of any data breaches in that time. The findings were concerning given that previous reports have found that between 2016 and 2021, the authority reported 3,759 breaches caused by human error, with 891 of those between 2020-2021.
“Government authorities are obliged to respond to FoI requests, and whilst these can prove time consuming and costly in some instances, information surrounding data loss and cyber security incidents should be well documented if regulations are being adhered to correctly. If this information cannot be easily retrieved, processes need to be addressed in terms of data collection and storage, and policies need to be put in place,” Fielding added.
About Apricorn Apricorn provides secure storage innovations to the most prominent companies in the categories of finance, healthcare, education, and government throughout North America and EMEA. Apricorn products have become the trusted standard for a myriad of data security strategies worldwide. Founded in 1983, numerous award-winning products and patents have been developed under the Apricorn brand as well as for a number of leading computer manufacturers on an OEM basis.
Media contact: Alicia Broadest Origin Comms t. 07729 102 956 e. apricorn@origincomms.com
This was posted in Bdaily's Members' News section by Apricorn .
Enjoy the read? Get Bdaily delivered.
Sign up to receive our popular morning London email for free.