ICO will look into Edinburgh City Council data breach

The Information Commissioner's Office (ICO) has confirmed it will examine a data breach affecting Edinburgh City Council that exposed 13,000 people's email addresses.

Hackers managed to bypass the security of the local authority's website service provider on 3 July, stealing 13,134 email addresses.

The UK's data watchdog did not say whether it would launch an official investigation, but a spokesman told IT Pro: "We are aware of the incident at Edinburgh City Council and will be making enquiries."

No other personal data was lost in the attack, according to the council, which sent an email notifying victims of the breach that their email addresses had been stolen.

The authority wrote: "If you had a password for the website, as a precaution, we have reset your account and you will have to change your password the next time you log in.

"We are taking this incident very seriously. We have made sure that our service providers have reinforced the security of our website and we will continue to monitor security regularly."

While the attack was not as serious as others in which cyber criminals have accessed sensitive personal data, it may affect public trust in the council, according to one victim, William Buchanan, a professor at Napier University.

In a LinkedIn post, he said: "The current breach does not seem serious in terms of its possible impact on citizens, but could have serious implications on the trust levels of citizens with the council.

"It also comes at the same time as other public sector breaches, especially within healthcare, such as from East Sussex NHS Trust, and which involved a non-encrypted memory stick containing the details of over 3,000 patients."

The trust emailed victims to warn them their data, stored on a USB stick, had been lost, it emerged this week, but the memory drive was subsequently returned by a member of the public.

In the ICO's most recent annual report, the most data breaches reported to the ICO came from healthcare, with 439 incidents, followed by 125 local government incidents.

But network security firm Barracuda Networks warned the news highlights the issue of who is responsible for securing web applications - an organisation or its service provider?

Wieland Alge, vice president of EMEA, said: "The most important takeaway here is that just because your hosting service or CDN or cloud provider says that they provide 'a secure environment', it (almost) never means that they secure your web applications as well.

"That responsibility squarely falls on the responsibility of each individual business. Organisations should query their providers regarding web application security specific features and explore avenues of supplementing these."