Two local councils are under fire after personal information of dozens of children was leaked online. The data breaches could leave the councils facing sanctions, and public sector tech leaders should ensure rigorous training programmes are in place for staff if they want to avoid a similar fate.

Uk council data breach
Central Bedfordshire Council is under fire for an apparent data breach (Photo by Peter O’Connor – flickr.com/anemoneprojectors)

Today it was revealed five children in Cornwall had their information posted online by Cornwall Council. In publishing online documents for a meeting of its School Transport Appeals Committee, the council accidentally posted the children’s names, addresses and dates of birth. The council has referred the matter to the Information Commissioner’s office, according to the BBC.

Earlier this week a similar incident came to light involving Central Bedfordshire Council, which was sent a Freedom of Information Request about children in its jurisdiction with Special Educational Needs and Disabilities who have not yet been found a school place. As part of its response to the request, the council published the names and personal information of the children.

Causes and consequences of local council data breaches

The consequences of such a breach can be severe, says Brian Higgins, security specialist at cybersecurity platform Comparitech. “Unfortunately, there is a long list of things that criminals can do with the types of information contained in these leaks, from direct contact [with the victims] to targeted phishing campaigns,” he says.

Identity theft is an especially big risk, Higgins continues. “Young people’s details are particularly popular with organised crime gangs for setting up things like bank accounts, as they are less likely to be discovered since the victims probably haven’t done that themselves yet,” he explains.

The leaks “represent a clear failure to train all staff in their duties under general data protection regulations (GDPR),” Higgins adds. “Everyone responsible for using personal data in the UK must be aware of and follow the ‘data protection principles’,” he says. “There are six of them, and the last one clearly states that information must be, ‘handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.”

These issues are a direct result of poor training, says Javvad Malik, lead security awareness advocate at KnowBe4. “In many cases, these types of breaches come down to lack of security training or awareness,” he says. “While everyone makes errors, having the right cybersecurity controls and appropriate training in place can greatly reduce the risk.”

How can public sector tech leaders prevent data breaches?

Local authorities suffered 33,645 data breaches in the past five years, according to figures obtained under the Freedom of Information act by VPN comparison site VPN Overview last year. Neither Cornwall nor Central Bedfordshire councils feature in the top ten of worst offending authorities, with Hampshire County Council claiming the number one spot with 3,759 disclosed breaches.

For public sector tech leaders tasked with protecting vast amounts of data, regular and rigorous training is the best way to reduce the risk of breaches, says Comparitech’s Higgins. “The only way to combat these kinds of breaches is to implement a mandatory, comprehensive, regular, tested training programme for everyone, from cleaners to CEOs, backed up by a decent incident response plan,” he says. “If you say you take this stuff seriously you really should.”

Read more: Personal data breaches are falling – except in Russia