ICO takes enforcement against Gloucester City Council for Cyber Attack

Article

17 October, 2023

Bethany Paliga

Senior Associate

The Information Commissioner Office (ICO) has announced it has taken enforcement action against Gloucester City Council following a ransomware attack in December 2021. The Council had previously confirmed that a sophisticated cyber-attack had caused damage to the Council's network and online services, with a number of systems having to be taken offline.

Following an investigation, the ICO has concluded that the Council infringed the following provisions of the UK GDPR:

Article 32(1)(b) - The requirement to have appropriate technical and organisational measures in place to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
Article 32(1)(c) - The requirement to have appropriate technical and organisational measures in place including the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
Article 32(1)(d) - The requirement to have appropriate technical and organisational measures in place including a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

ICO findings

In their findings, the ICO determined that the Council did not have in place appropriate logging and monitoring systems. The ICO found that this impacted the Council's ability to monitor and respond to security breaches and to identify potential threats.

The ransomware attack on the Council also resulted in crucial data being deleted. The Council did not identify this attack through the log review process that Gloucester City Council had in place with a third-party supplier.

The ICO also criticised the Council for being unable to restore access to personal data or the systems that stored personal data in a timely manner. Additionally, this meant that the Council could not determine the data subjects at risk of harm from the incident and subsequently this had a knock-on effect on the Council's duty to notify data subjects of the breach without undue delay, and was a contributing factor in the Council not publishing breach notifications until 17 months after their initial breach report to the ICO. The ICO concluded that whilst the Council did have an appropriate documented incident response process, these were not sufficient for such a sophisticated incident.

Whilst the ICO had established that Gloucester Council did have in place some processes and documentation to handle "smaller breaches" however they were not efficient for other incidents.

Further Action Recommended

The reprimand also details further action the ICO recommends that the Council takes to ensure compliance with the UK GDPR. This includes:
Ensure that security measures are regularly tested and there is a documented process in place for evaluating, and improving, the effectiveness of these measures;
Perform a full review of the Council's backup and disaster recovery measures. Any processes already in place should be reviewed to ensure they are sufficient in large incidents that pose a risk to data subjects through confidentiality, availability or integrity issues. Processes to test recovery systems and evaluate their effectiveness should also be considered and implemented where appropriate;
Review the Council's records of processing and asset registers to ensure there is a concrete understanding of what personal data is being processed, which systems store personal data and the risks posed by a breach of confidentiality, integrity or availability for the personal data being processed.

Consequences of a Reprimand

A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.

From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.

Forbes Comment

The Council here suffered from a sophisticated cyber attack which the Local Democracy Reporting Service has previously reported that cyber criminals linked to Russian were behind the attack. The ICO investigation found that the initial attack was enabled through a phishing email received from a legitimate third-party email address. No specific vulnerabilities, either through outdated systems or otherwise, were found to have contributed to the threat actor gaining initial access to the Council's systems. In spite of this finding, the ICO has still decided to take enforcement action against the Council due to the failures in responding to the cyber-attack.

Staff awareness is crucial to prevent phishing emails from being successful and hackers being able to access your systems. Regular cyber security training should include how to spot phishing attempts and regular phishing exercises should be undertaken to assess the effectiveness of training and the level of staff understanding.

For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Governance, Procurement & Information department here

Rent reforms for new shared ownership homes

Supreme Court rules on historic holiday pay claims in landmark…