Hundreds of council data breaches reported


According to a new report, there were more than 700 council data breaches reported to the Information Commissioner’s Office (ICO) in 2020. These breaches impacted all 398 UK councils. In addition, the number of data breach incidents rose by 15% between the last quarter of 2020 and the first quarter of 2021. The information was uncovered via freedom of information (FOI) responses.

According to the report:

  • 10 councils had their operations disrupted due to a breach or ransomware attack
  • 1 council reported 29 data breaches in 2020
  • A high-profile attack against Hackney Council forced critical services to be shut down for several weeks
  • Redcar & Cleveland Borough Council suffered a cyberattack, leading to over 135,000 residents being unable to access important services.
  • Council employees lack security training and qualifications
  • 45% of councils employ no professionals with recognised security qualifications
  • Approximately four in ten councils spent no money on security training in 2020.

The report also warns that, with “more council employees working remotely, and city and town centres becoming increasingly connected, the cyber security challenges facing councils are only set to grow in the future”.

Our opinion

Commenting on the findings, Kingsley Hayes, head of data breach, said:

“Local authorities handle some of our most sensitive personal data, so a data breach can be disastrous. Unfortunately, in our experience, reliance on unsecured legacy software and a lack of preparation for dealing with cyber-attacks has made the sector vulnerable. As a result, almost 100 million cyber-attacks hit Britain’s local authorities in just five years.

“Of course, given the nature of the data required for the delivery of public services, local authorities are lucrative to hackers. But, as the report shows, UK councils are also struggling to train staff and put robust data management practices in place. This is making things worse for the public and easier for cybercriminals.

“What’s more, despite the threat of attacks, in our experience, human error remains the leading cause of breaches, and this is only going to get worse if these organisations don’t take their data protection responsibilities seriously.”

In March 2024, our firm changed its name to KP Law. 

Share this article: