UK council security practices slammed after suffering 50 data breaches in four months

Cyber security concept image showing a digitized padlock sitting on a blue colored circuit board.
(Image credit: Getty Images)

Gateshead Council has reportedly recorded more than 50 data breaches so far this year, mostly due to 'human error'.

According to documents seen by ChronicleLive, they include using incorrect email addresses, attaching the wrong documents, and sending letters to the wrong addresses. Personal and medical data was uploaded online, and data sent to the wrong recipients.

"The breach at Gateshead Council sheds light on the widespread occurrence of data breaches. While often attributed to human error, they're also a systemic issue," said Tim Ward, CEO and co-founder of Think Cyber Security.

"Merely instructing people through training courses isn't enough; we must acknowledge the broader context. While a foundational understanding of data handling is crucial, many mistakes happen in high-pressure situations — when we're rushing to meet deadlines or sifting through emails."

In one example, a resident in council tax arrears was sent the information for 53 other people who also owed money; in another, a fostering agency sent information out about a child who wasn’t in its care.

A psychology report was sent to the wrong address, a report was sent to the wrong solicitor, an employee lost a notebook containing personal data and a resident’s information was shared with a landlord without permission.

"Instances such as using incorrect email addresses, attaching wrong documents, or sending sensitive information to the wrong recipients are not uncommon. They highlight the critical need for organisations to prioritize continuous staff training on data handling procedures and cybersecurity best practices," said Erfan Shadabi, cyber security expert at comforte AG.

"Effective training programs can empower employees with the knowledge and skills necessary to identify and mitigate potential risks, ultimately reducing the likelihood of data breaches stemming from human error."

Gateshead Council did refer two breaches to the Information Commissioner's Office (ICO) in 2023. 

One of these involved test data being mistakenly made live on certain council-operated websites, and the other included social work and or occupational health data being posted to an out-of-date address. The data protection watchdog took no further action.

The news follows concerns raised last year by the BBC's Local Democracy Reporting Service, which reported that breaches at the council rose from 66 in 2022 to more than 120 in 2023.

At the time, the authority attributed the increase in reported breaches to improved training and better awareness of the issue among staff.

"It's commendable that there is a structured procedure in place for the council officers to report breaches swiftly. This not only demonstrates a proactive stance towards regulatory compliance, particularly with the strict timelines imposed by the ICO but also reflects an understanding of the importance of quick response to mitigate the potential damage of such breaches," said Javvad Malik, lead security awareness advocate at KnowBe4.

"However, this situation also highlights the critical need for continuous education and training for all individuals who handle sensitive information. Simple errors should not be underestimated, as they can lead to significant privacy violations and erode public trust in how their data is managed. Fostering a culture of cyber security and mindfulness are vital steps in reducing these types of incidents."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.