UK councils are paying out a fortune in data breach claims

Cyber security concept image showing digitized circuit board with a red alert symbol.
(Image credit: Getty Images)

UK Councils are forking out tens of thousands of pounds in data breach claims, freedom of information requests have revealed. 

An investigation by Data Breach Claims has found that the number and cost of breaches is on the rise across the country.

"This rise is worrying and we hope that organizations are ensuring that they have sufficient security in place to protect people’s personal information," said the firm's Eleanor Coleman.

Hull City Council, for example, has experienced nine cyber attacks in the past three years, paying out £30,000. Five of these were phishing attacks, with one incident of intrusion.

"The latest news on Hull City Council's data breaches and cyber attacks is alarming and should serve as a wake-up call for all local authorities. With nine cyber attacks and six breaches in just three years, preventing such attacks in the future must be a priority for the council," commented Dr Darren Williams, CEO and founder of Blackfog.

The biggest data breach bill went to Cheshire and West Chester Council, which has paid out £185,000 in compensation for data breach claims since 2021.

It recorded a total of 228 incidents between 2021 and 2022, as well as a further 195 in 2022/23. However, it said, it hasn't had any cyber incidents since 2021.

Devon County Council, meanwhile, has paid out £86,000 in compensation since 2021. It confirmed a total of 91 personal data breach incidents since then, with figures increasing year on year.

However, it wouldn't reveal the number of cyber attacks it experienced, saying that doing so 'could be leveraged by a motivated cyber threat actor to inform a successful attack against our infrastructure'.

Surrey County Council was close behind, paying out £78,000 over a a total of 2,078 data breaches, while Lancashire County Council had costs of £51,000.

"It is not enough to rely on self-reporting and compensation payouts to the victims of data breaches. Councils need to take proactive measures to prevent such incidents from happening in the first place," Williams said.

"The government sector will always be a target for cyber criminals, but if councils and governments prioritize investing in preventative solutions it is possible to prevent attacks and ensure their data does not fall into the wrong hands."

Gateshead Council recently came under fire after documents seen by ChronicleLive revealed that it had recorded more than 50 data breaches between January and April this year.

These included using incorrect email addresses, attaching the wrong documents, and sending letters to the wrong addresses. Meanwhile, personal and medical data was uploaded online, and data sent to the wrong recipients.

All in all, according to the Information Commissioner’s Office (ICO), cyber attacks on local authority systems jumped by a quarter between 2022 and 2023, while personal data breaches reported by local government organizations rocketed by 58% in the same period.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.