Local authorities in the UK commit data breaches four times a day, with many involving details of children.
‘A Breach of Trust’ report by Big Brother Watch found that 4236 data breaches occurred at local councils between 2011 and 2014.
This included 401 instances of data loss or theft, with 628 instances of incorrect or inappropriate data being shared via email, letters or faxes.
The Freedom of Information (FOI) request also found that 5293 letters were sent to the wrong address or contained personal information not intended for the recipient.
In addition, 197 mobile phones, computers, tablets and USBs were lost or stolen.
While 658 of the breaches involved children’s information, only 1 in 10 data breaches resulted in disciplinary action. This included 39 resignations, 50 dismissals and 1 court case in which a Southampton Council employee was prosecuted by the ICO for transferring data to his personal email.
Data breaches have been a regular feature in the news recently, with a hack into Carphone Warehouse making headlines over the weekend. However, the Carphone Warehouse breach was the result of an intentional attack, while the council problems were caused by error.
Bob Tarzey, Analyst and Director at Quocirca, comments that councils could be more vulnerable to intentional attacks in the future.
"Is local government likely to be more of a target for data theft? Sure, hackers want personal details to use for social engineering, phishing and so on. If local government defences are weak, then their data will be targeted.
"That said, the thieves will suffer from the same misdirected communications when trying to use this data as the councils employees do themselves. In the respect, whilst the data is so inaccurate it has less value to criminals."
"This report provides even more evidence that human error really is the biggest challenge facing information security professionals and it needs to be dealt with," comments Tony Pepper, CEO for Egress.
"While public sector organisations already have top-down policies and procedures in place, it is clear that staff are not following these rules and that in many cases, there are not really any repercussions if they fail to do so.
"However, it is not all down to the individual to mitigate this; people will always make mistakes, and organisations need to accept that, but they should not accept that this needs to result in confidential data being breached."
Tarzey argues that the security breaches were mainly driven by poor processes as opposed to careless employees:
"The majority of the breaches identified seemed to be misdirected communications and I suspect these are mostly computer-generated, even if a customised letter is sent by a council employee to a local resident, the data used will come from a database. In other words, this is less careless employees and more poor data and process.
"A big part of data security is better informed employees, and this should not be overlooked, but local government needs to take more care of its data, not just to ensure it is secure but that it up to date and accurate."