17 October, 2023
The Information Commissioner Office (ICO) has announced it has taken enforcement action against Gloucester City Council following a ransomware attack in December 2021. The Council had previously confirmed that a sophisticated cyber-attack had caused damage to the Council's network and online services, with a number of systems having to be taken offline.
Following an investigation, the ICO has concluded that the Council infringed the following provisions of the UK GDPR:
In their findings, the ICO determined that the Council did not have in place appropriate logging and monitoring systems. The ICO found that this impacted the Council's ability to monitor and respond to security breaches and to identify potential threats.
The ransomware attack on the Council also resulted in crucial data being deleted. The Council did not identify this attack through the log review process that Gloucester City Council had in place with a third-party supplier.
The ICO also criticised the Council for being unable to restore access to personal data or the systems that stored personal data in a timely manner. Additionally, this meant that the Council could not determine the data subjects at risk of harm from the incident and subsequently this had a knock-on effect on the Council's duty to notify data subjects of the breach without undue delay, and was a contributing factor in the Council not publishing breach notifications until 17 months after their initial breach report to the ICO. The ICO concluded that whilst the Council did have an appropriate documented incident response process, these were not sufficient for such a sophisticated incident.
Whilst the ICO had established that Gloucester Council did have in place some processes and documentation to handle "smaller breaches" however they were not efficient for other incidents.
Further Action Recommended
Consequences of a Reprimand
A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.
From December 2022, the ICO announced it would now publish details of reprimands on its website. Therefore despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.
The Council here suffered from a sophisticated cyber attack which the Local Democracy Reporting Service has previously reported that cyber criminals linked to Russian were behind the attack. The ICO investigation found that the initial attack was enabled through a phishing email received from a legitimate third-party email address. No specific vulnerabilities, either through outdated systems or otherwise, were found to have contributed to the threat actor gaining initial access to the Council's systems. In spite of this finding, the ICO has still decided to take enforcement action against the Council due to the failures in responding to the cyber-attack.
Staff awareness is crucial to prevent phishing emails from being successful and hackers being able to access your systems. Regular cyber security training should include how to spot phishing attempts and regular phishing exercises should be undertaken to assess the effectiveness of training and the level of staff understanding.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Governance, Procurement & Information department here