Personal data taken in Oxford City Council cyber attack

Oxford City Council has become the latest local authority to suffer a cyber attack, with the personal details of election workers stolen.

The incident, which took place over the weekend of 7 and 8 June, saw the attackers accessing some historic data held on legacy systems.

This included the personal information of people who worked on elections administered by the council between 2001 and 2022, including poll station workers and ballot counters. Most of these people, said the council, will be current or former council officers.

"There is no evidence to suggest that any of the accessed information has been shared with third parties," said the council in a statement.

"Investigations continue to identify as precisely as we can what was accessed and what, if anything, might have been taken out of our systems. There is no evidence of a mass download or extraction of data."

The council said that its automated systems were able to detect the breach immediately, minimizing the attackers' access to systems and databases. It then called in external experts and took down each of the council's main systems to carry out full security checks and investigate the incident.

"These precautionary measures resulted in disruption to some of our services over the last week, our staff have been working hard to minimise impact on our residents, but we would like to sincerely apologise for any inconvenience this has caused to people wanting to access our services," it said.

"We're pleased to say that most of our systems are now safely up and running again, and the remaining systems should be back online this week."

The council's email systems and wider digital services remain secure and safe to use, it said, and the council has reported the incident to the relevant government authorities and law enforcement agencies.

Cyber attacks on local authorities are rocketing, with Hammersmith and Fulham Council revealing earlier this year that it faces around 20,000 attempted cyber attacks every day, mostly phishing attempts.

Incidents over the last year include a supply chain attack that affected the housing websites for Manchester, Salford, and Bolton councils, an attack on three Kent councils that severely disrupted services, and one against Leicester City Council that knocked IT systems and phone lines offline.

Data Breach Claims UK recently reported, based on FOI requests to 36 metropolitan councils, that between them they've suffered 12,700 data breaches over the last three years and paid out more than £260,000 in compensation.

Sheffield City Council topped the list, with 1,512 breaches, followed by Manchester City Council with 1,493 and Wakefield Council with 1,268.

According to the Information Commissioner's Office (ICO), cyber attacks on local authority systems rose by a quarter between 2022 and 2023, while personal data breaches rocketed by 58%.

Late last year, information commissioner John Edwards urged local authorities to take cybersecurity more seriously, saying: "We trust local government with some of the most sensitive personal information imaginable, yet they remain one of the leading sources of data breaches."