This article is more than 1 year old
Home of the world's longest pleasure pier joins public sector leak club
Southend-on-Sea Council unwittingly exposed sensitive records of more than 2,000 staff for five months
Southend-on-Sea City Council has reported a data breach, joining a growing list of UK public sector organizations to have accidentally and illegally exposed sensitive files this year.
The data breach occurred as a result of a botched response to a request made under the Freedom of Information Act 2000 (FoI). The council uploaded a spreadsheet of what it thought contained solely anonymized job roles and structure data.
It later discovered that if the spreadsheet was "interrogated," personal and special category data of all current and former council staff as of March 31 could be viewed.
The document was initially uploaded on May 17, and was locked with permissions set to read-only. The council became aware of the accidental data exposure on October 27.
In total, more than 2,000 individuals were affected: 1,854 current staff and 276 former council workers were affected, as well as an additional 169 office holders and canvassers, and 55 councilors and co-opted members.
Co-opted members are not official councilors but serve as elected independent members of council committees.
The data exposed included names, addresses, national insurance numbers, pension scheme details, salaries, and equal opportunities data.
As a result, the council has self-reported to the Information Commissioner's Office (ICO).
"We have issued an advisory notice to public authorities calling for an immediate end to the use of original source Excel spreadsheets when responding publicly to FoI requests," an ICO spokesperson told The Register. "This follows a number of recent data breaches where personal information was inadvertently included in spreadsheets that were shared as part of a FoI response.
"Public authorities should be putting robust measures in place to protect personal data when responding to information access requests, and to reassure the people they serve, and their staff, that their information is in safe hands.
"Southend-on-Sea Council has made us aware of an incident and we are assessing the information provided."
Council leader Tony Cox extended the organization's apologies in a statement.
"We have immediately begun an investigation to understand how this happened and I sincerely apologize to those affected on behalf of the organization," he said.
"We have also taken immediate actions, including starting to investigate how this happened, undertaking an initial assessment to understand the potential risk to staff and whether the data could be used in a harmful way, providing advice and support to all staff affected, and stopping the use of Excel spreadsheets in our FoI responses. We are also reviewing our FoI protocols to ensure this cannot happen again."
- Okta tells 5,000 of its own staff that their data was accessed in third-party breach
- Seiko watches 60K personal data records tick away in BlackCat ransomware heist
- Casio keyed up after data loss hits customers in 149 countries
- 530K people's info feared stolen from cloud PC gaming biz Shadow
The incident follows a spate of data breaches in the UK and Ireland's public sector in recent weeks. The Police Service of Northern Ireland (PSNI), as well as Norfolk and Suffolk police forces, both fell foul of data protection standards during their respective FoI-related exposures.
In August, Cumbria Police published the names and salaries of all its officers and staffers. The ICO decided at the time that no further action was needed other than to remind of what is expected in terms of data protection measures.
Later that month London's Metropolitan Police exposed details of 47,000 officers as a result of a third-party breach.
Greater Manchester Police's incident was also caused by a breach at a third-party supplier of ID badges.
Most recently, more than half a million records related to vehicle seizures were exposed by an unsecured database managed by an unnamed Limerick contractor in Ireland. The data breach affected civilians and members of the Irish National Police (An Garda Síochána). ®