In a serious misstep at East Devon Council, the passwords of 37 council members were reportedly exposed online to other councillors, leaving private email inboxes potentially vulnerable to unauthorised access.
The error was quickly corrected, with affected councillors resetting their passwords. However, the period of vulnerability could have caused leaks of confidential information, which is why this is a serious matter.
Despite local authorities’ important responsibility to their communities and residents, we see data breaches happening far too frequently at local councils, suggesting that many are still failing to take their data protection duties seriously. At Your Lawyers – The Data Leak Lawyers – we believe that failures when it comes to data protection law justifies legal action, as many of these local authorities need to develop more rigorous data protection measures to protect people’s information. Where they fail to do so, we are here to help.
East Devon Council data leak- what happened?
It is currently understood that the data incident did not arise through a mistake of one of the East Devon Council members, but through a misstep made by an external IT provider called Strata. In their management of the council’s IT provision, it has been reported that Strata took the decision to add Airwatch and Outlook passwords to the digital profiles of the individual councillors, such that they were then made visible to their colleagues.
The risk to the councillors’ email inboxes could have been bad, as their emails could contain confidential information. This could include medical data, probation reports and electoral register information.
Councillor Paul Millar, who was responsible for discovering the password issue, reportedly did not receive “categorical assurance” that his emails had not been accessed by another council member.
The implications of such a data leak
The security risk is generally estimated to be low, as the problem was resolved quickly and it is said to be unlikely that councillors would betray their own organisation. However, factors such as this cannot be relied on to judge the situation as completely safe from harm. In fact, this internal issue and the thoughtlessness involved could be indicative of the risks of external data breaches occurring at East Devon Council in the future. This is something to be considered.
It is understood that the breach has since been labelled as “a wake-up call” in a recent meetings of the council, where the accessibility of the passwords was regarded as “poor practice” in terms of the protection of sensitive information. It was also revealed that the issue had been raised as early as May 2019, when councillors criticised the fact that they were not allowed to set their own passwords, and that they were all stored in a spreadsheet.
The ICO was informed and have been investigating the data incident, but it is already apparent that password protection at the East Devon Council does not seem to follow best practice. Going forward, the council should be more mindful of more appropriate data protection procedures.
Claiming for a council data leak
Fortunately, there is currently no evidence that residents have been affected by the East Devon council data leak. However, the frequency of council data breaches indicates a problem that cannot be ignored in general.
We hope that an incident like this will never affect you, but Your Lawyers – The Data Leak Lawyers – are here to support your right to claim compensation in the event of a data breach. As long as councils fail to address data protection vulnerabilities, it is important to know that you have every right to claim for the distress and financial losses you may have suffered as the result of a data breach.