Management > Identity

ICO fines Gloucester over cyber-attack handling

Neil Merrett Published 13 June 2017

Data regulator argues £100,000 monetary penalty is fair response to prevent further failures by authorities to patch systems against well publicised flaws that can compromise systems; council considers appeal


Gloucester City Council has been fined £100,000 by the information Commissioner’s Office (ICO) over a cyber attack that saw “sensitive” personal information belonging to its employees being accessed illegally.

Citing a weakness in the authority’s website, the UK data regulator said in a statement that 30,000 emails were downloaded from the council’s mailbox solution in 2014 that exposed financial and other sensitive information.  Between 30 and 40 current or former members of staff were found to have been affected by the breach, according to the ICO.

Specific concern was raised that the authority had not paid attention to warnings that had been issued by the data regulator itself and wider media to try and prevent the ‘Heartbleed’ software flaw.

However, the council has expressed its disappointment with the ICO's decision and is considering whether an appeal.

In her own judgement notice, Information Commissioner Elizabeth Denham concluded that there was no good reason for why the council at the time had failed to apply the patch for the Heartbleed flaw amidst advice for organisations to do so.

Failure to better protect against the attack was viewed by the regulator as a serious oversight by Gloucester City Council.

“The attack happened when the organisation was outsourcing their IT systems. A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack,” said Sally Anne Poole, group enforcement manager with the ICO.

On the back of a malware attack that compromised the systems of a number of private and public sector organisations, including several NHS trusts last month, the findings highlight a growing pressure on public sector to ensure critical systems are protected to maintain public service provision.

However, an ICO investigation found that the council had failed to implement sufficient processes to ensure systems were updated while switching technology suppliers.

The data regulator added that the authority had been contacted by an individual claiming to be behind the attack and a member of the group Anonymous that is known for targeted attacks on websites.

In opting to impose a fine, the information commissioner did accept that “substantial remedial action” has been taken by the authority.  The council had reported the breach to the ICO when it had become aware of a cyber attack taking place, which happened after it was informed by the attacker.

Considering that the financial penalty may have had a “significant impact” on the council’s reputation and resources, the ICO said it had decided to impose a fine to serve as an encouragement to others to prevent any further similar breaches.

Responding to the ICO's judgement in issuing levying the fine, Jon McGinty, managing director of Gloucester City Council, said: “The council is very disappointed with this decision by the Information Commissioner, and is considering its position whether to appeal.

“The council takes the security of its data very seriously and remains of the view that it did take swift and reasonable steps in 2014 to prevent a data breach as soon as it was alerted to the existence of this hacking vulnerability and the availability of a security patch. The Heartbleed vulnerability was a threat to businesses for some time before a patch was issued by software providers.

“There is insufficient evidence to show that the hacking event took place after the council became aware of the existence of the potential vulnerability. The council believes that the penalty issued by the ICO  will have a serious and detrimental impact on its finances, and the services that we will be able to provide to the residents of Gloucester in the future. The council has invested more than £1million over the past 3 years to further improve its IT security and remains vigilant to the threats that all businesses face on a daily basis.

“The council did account for the risk of this potential fine in its accounts for 2016-17 but nevertheless its payment will only result in money being taken away from the people of Gloucester and given to Treasury.”

Related articles:

CQC to beef up NHS information governance inspections

NHS faces mass IT systems failure following ransomware attack

Chancellor sets out £1.9bn cyber security strategy update






We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.