A council has been fined £100,000 by the data watchdog after its employees’ personal information was compromised in a hacking attack.
Taking advantage of a software flaw in Gloucester City Council’s website, the attacker downloaded more than 30,000 emails from the council’s mailboxes.
These email messages contained financial and sensitive information about council staff, according to the Information Commissioner’s Office (ICO).
The ICO, the UK’s data regulator, said the hacker exploited the Heartbleed security bug – which had been widely reported on and patched months prior to the attack.
Heartbleed was publicly disclosed in April 2014 and was described as “catastrophic” by a number of security researchers and led to warnings from government agencies around the world.
The bug affected OpenSSL, a widely used implementation of a security protocol which users normally experience as a closed green padlock on their browsers indicating that their connection with a site is secure.
The enormous number of services affected by the bug lead a Finnish researcher to coin the name Heartbleed, and register a website and design a logo to raise awareness, although this did not prevent the bug being used to attack websites including Mumsnet after it was made public.
The data watchdog slammed the council for “serious oversight” during its IT outsourcing programme which left staff’s emails open to the attack months after the bug had been disclosed and patched.
Sally Anne Poole, the group enforcement manager at the ICO, said: “This was a serious oversight on the part of Gloucester City Council.
“The attack happened when the organisation was outsourcing their IT systems.
“A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack.”
The ICO’s investigation found the council did not have sufficient processes in place to ensure its systems had been updated while it changed its IT suppliers.
Ms Poole added: “The council should have known that in the wrong hands, this type of sensitive information could cause substantial distress to staff.
“Businesses and organisations must understand they need to do everything they can to keep people’s personal information safe and that includes being extra vigilant during periods of change or uncertainty.”
Gloucester City Council’s managing director, Jon McGinty, said: “The council is very disappointed with this decision by the ICO, and is considering its position whether to appeal.”
Mr McGinty said there was “insufficient evidence to show that the hacking event took place after the council became aware of the existence of the potential vulnerability”.
“The council believes that the penalty issued by the ICO will have a serious and detrimental impact on its finances, and the services that we will be able to provide to the residents of Gloucester in the future,” he said.
“The council has invested more than £1m over the past three years to further improve its IT security and remains vigilant to the threats that all businesses face on a daily basis.
“The council did account for the risk of this potential fine in its accounts for 2016-17 but nevertheless its payment will only result in money being taken away from the people of Gloucester and given to Treasury.”