An investigation of London’s Hackney Council has uncovered a data breach that involved members of the local community’s personal information being exposed online.
The new data leak comes within six months of another serious cybersecurity incident at Hackney Council. The previous event involved an attack on the London Borough by the ransomware group, Pysa. The targeted attack saw the gang steal vast stores of data from the local council, information that it later published on a hacker forum based on the dark web.
The recent exposure of London citizen’s data was not caused by an attack but due to what appears to be a user error.
Disclosure of a data breach
Following the ransomware attack by Pysa, Hackney Council stated it would tighten its security measures for data protection, but privacy settings were recently found to have been misconfigured, resulting in a new data breach.
Council members using project management site that is available for free use neglected to use the correct setting before transmitting data leading the exposure of both names and postal addresses of member of the community. The data disclosed involved people who had been given temporary housing for their own protection, along with tenants of council estates who had asked for damaged boilers, doors, and doorbells to be repaired.
Other personal information exposed included national insurance numbers, case notes following a welfare visit, and minutes taken at a high-level council meeting revealing confidential details regarding financial losses suffered by the council.
Council available for comment
The Council currently uses a dedicated network of over 50 “Trello” boards designed to help contractors and staff streamline workflow and manage tasks. Users of the system are empowered to set privacy levels to suit the content they are managing and can choose for it to be public, private, or able to be shared among other councilmembers.
Council members failed to select the appropriate protection levels required to keep data private, despite the default system setting being designed to ensure no information was made public.
Philip Glanville, Mayor of Hackney commented on the incident, stating the Council’s own IT team had performed a comprehensive audit of the Trello boards and found that the number of cases where personal data was exposed were relatively few.
He apologised on the local authority’s behalf to residents impacted by the breach and confirmed that all public access issues had now been corrected. He commented:
“Hackney Council, like many local authorities, has a policy of openness. This is part of our commitment to transparency both internally and externally, and so that we can work collaboratively with other councils to improve local public services for residents. Aside from these small number of cases, our Trello boards are used in line with the council’s policies for the secure handling of personal or other sensitive data.”
He added that the data breach was in no way related to the recent cyberattack and was not a reflection on the council’s commitment to increase its cybersecurity measures.