In 2024, over 2,400 suspected data breaches were recorded across 27 councils in the UK, as revealed by a series of Freedom of Information (FoI) requests. This alarming statistic underscores the growing challenges local authorities face in safeguarding sensitive information amidst an evolving cyber landscape.
The analysis, conducted by USB storage firm Apricorn, highlights significant reporting from several councils. Surrey County Council led with 634 reported breaches, followed by Oxfordshire County Council at 451 and North Yorkshire Council at 406. Notably, many breaches stemmed from simple human errors, including misdirected emails and lost documents, as well as unauthorized sharing of private information.
Among the reported breaches, Suffolk County Council disclosed six to the Information Commissioner’s Office (ICO), which encompassed failures such as unauthorized access and the internal publication of sensitive data. North Yorkshire Council similarly reported eight ICO-notified breaches, with incidents ranging from cyber attacks to mishandled paperwork.
Despite the high numbers, several councils emphasized that not all breaches resulted in significant harm or necessitated formal reporting to the ICO. Cheshire East Council, for example, recorded 212 suspected breaches yet asserted that many were deemed “near misses” or involved internal disclosures. This proactive approach to reporting underscores the councils’ commitment to stringent data protection protocols.
Additionally, Cambridgeshire County Council noted only three breaches reported to the ICO for 2024, all attributed to staff errors but effectively managed in compliance with regulations.
The FoI responses also revealed persistent challenges in device management. East Riding of Yorkshire Council reported the loss of 157 devices, including 106 mobile phones and 34 tablets. Hertfordshire County Council recorded 75 lost devices, while Essex County Council reported 33 mobile phones lost, none of which were encrypted. The use of unsecured devices raises critical concerns regarding the protection of data in transit, underscoring vulnerabilities that could be exploited by cyber adversaries.
Jon Fielding, managing director of Apricorn for the EMEA region, emphasized that despite existing training and policies, human error remains a significant factor contributing to breaches in local government. The prevalence of unencrypted and poorly secured devices compounding these risks necessitates councils to reinforce endpoint security protocols and ensure encryption standards are uniformly applied.
“Transparency is essential for enhancing data protection standards,” Fielding said, advocating for councils to foster a culture of incident reporting. Investment in encrypted hardware, established secure data transfer protocols, and inter-departmental accountability are crucial to fortifying defenses against potential attacks.
Cyberattacks on Local Authorities
In a separate incident, Oxford City Council reported experiencing a cybersecurity breach earlier this month. Sylvain Cortes, VP of Strategy at Hackuity, pointed out that local authorities continue to be prime targets for cybercriminals, due to their transition to digital services which exposes sensitive citizen and employee data.
As local authorities grapple with the dual challenges of service delivery and cybersecurity, Mike Upton from e2e-assure noted the struggle of balancing end-user needs with robust cybersecurity practices. With cybersecurity training often sidelined in the urgency of day-to-day responsibilities, the risk of exploitation by increasingly sophisticated cyber threats continues to rise.
