09 July 2024

The results highlight the significant number of breaches occurring within just 17 of the councils questioned and the threat to customer data with over 5,000 breaches recorded in 2023.

Worryingly, Kent County Council declared 734 breaches alone between Jan 2023 and Dec 2023, with Surrey County Council amassing 665 and Norfolk Council not far behind with 605. Other big losses included Warwickshire County Council (495) and East Sussex (490).

“We’re familiar with the fact organisations suffer data breaches, particularly those housing valuable customer data. That said, the excessive number of breaches being declared is concerning. These government organisations should be setting a precedent in terms of data protection. Whilst we know there is no silver bullet for preventing a breach, multiple steps and processes can be put in place to limit the risks of a breach. The councils should invest in comprehensive training programs to educate employees about the importance of safeguarding data and the proper protocols to follow in case of device loss or theft,” said Jon Fielding, managing director, EMEA Apricorn.

Additionally, Warwickshire County Council noted that its devices are not encrypted and the organisation relies upon the use of Multi-Factor Authentication (MFA) to be able to access its systems, whether that be laptop or mobile. Whilst all devices have the capability to be remote wiped and all data can be either stored in applications and/or on shared network drives, this does not completely prevent the potential access to sensitive data should any of its devices fall into the wrong hands.

Equally, Surrey County Council, when questioned on how many USB devices had been lost or stolen, noted that peripherals are not tracked and that memory sticks are departmental responsibility and are not tracked by asset management. Again, this is concerning as devices are not being accurately tracked and documented which could result in a major breach that the council would be unaware of if the items are unknowingly misplaced.

“By implementing security tools and practices such as deploying removable storage devices with built-in hardware encryption, government departments can roll this out across the organisation, ensuring all data can be stored or moved around safely offline. Even if the device is lost or stolen, the information will be unintelligible to anyone not authorised to access,” said Fielding.

Of notable concern is the response from Lancashire County Council to questioning about the number of lost and stolen devices within the organisation. The reply stated that it does not record/document this information, thus, putting them at risk of failed compliance with data protection regulations, such as the General Data Protection Regulation (GDPR) and posing a significant threat to customer data security.

Without proper records, the council may struggle to demonstrate accountability and transparency in handling sensitive information. In the event of a data breach or loss, the council's inability to track and report on lost or stolen devices could result in severe consequences, including financial penalties and reputational damage, not to mention the harm to users from the loss of personally identifiable information (PII). This underscores the urgent need for the council to address its data management practices and implement robust measures to safeguard customer data.

“Failing to properly document and report lost and stolen devices not only compromises the privacy and security of individuals' information but also undermines the trust and credibility of the council. Lancashire County Council should prioritise the implementation of robust documentation procedures. This includes promptly reporting incidents to the appropriate authorities, conducting thorough investigations, and taking immediate action to mitigate any potential data breaches and demonstrate commitment to protecting the privacy and security of its constituents' data,” said Fielding.