Councils reported 700+ data breaches to Information Commissioner in 2020: report

UK councils reported an estimated 700+ data breaches to the Information Commissioner’s Office in 2020, according to research by cyber security services company Redscan.

Its report, Disjointed and under-resourced: Cyber security across UK councils, was based on analysis of Freedom of Information (FOI) data supplied by more than 60% of borough, district, unitary and county councils.

Other key findings included:

  • Ten councils had their operations disrupted as a result of breaches or ransomware. They included high-profile cases at the London Borough of Hackney and Redcar & Cleveland Borough Council.
  • One council reported 29 data breaches to the ICO in 2020, more than double the number reported by any other council.
  • Approximately four in ten councils spent no money on security training.
  • Just half of all UK council employees received cyber security training in 2020.
  • 45% of councils employ no staff with recognised security qualifications.

The National Cyber Security Centre (NCSC) recently warned that the cyber security challenges faced by councils are likely to grow due to urban centres becoming increasingly connected.

Redscan said its report suggested that more must be done to minimise the risk of future incidents and disruption to services.

The company’s CTO Mark Nicholls said: “There is significant room for councils to improve their readiness to tackle current cyber risks as well as those that will emerge in the future as cities become smarter and more interconnected.

“Every council has thousands of citizens depending on its services daily. If they go offline due to a cyberattack, this can deny people access to critical services. To minimise the impact of data breaches, it is important that councils are constantly prepared to prevent, detect and respond to attacks. While our findings show that councils are taking some steps to achieve this, approaches vary widely and in many cases are not enough.

“Our analysis reveals some pretty shocking failings, such as 29 data breaches reported by one council to the ICO in a single year. The fact that approximately half of all council employees across the UK didn’t receive security training in 2020 is also concerning.”