Disastrous security failure affects personal data collected by City Council

Colchester Conservatives call for full public disclosure of the circumstances surrounding an alleged breach of security affecting the data held by the City Council for thousands of residents.

Cllr Roger Buston, Conservative Spokesman on Licencing and Public Protection, said: “It has been alleged in the press that personal data relating to residents of Colchester has been put at severe risk by the poor security of a Council subcontractor. We demand a full enquiry and an apology to be given to every Colchester resident whose personal data was exposed.”

According to the press, in mid-April the Russian Black Basta ransomware gang attacked Capita systems, and threatened to make public their clients’ confidential data.

The incident was reported to the Office of the Information Commissioner. In the ensuing investigation in early May, Capita is reported in the press to have admitted that 655 gigabytes of customer personal data had been left exposed in an Amazon Cloud Service virtual disk since 2016 to anyone browsing the internet.

Colchester City Council, confirmed to the press that personal data that it had collected about residents was part of the 655 gigabyte exposure, and screenshots of the personal data seen by Council Officers show that data pertaining to Colchester City Council was on public view to anyone browsing the Internet.

However, the 655 gigabytes of content of the exposed cloud server were also captured by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage, indicating just how difficult it is to undo the damage done by poor security.

The personal data collected by Colchester Council was not even protected by a password, so the Russian Hacker certainly would not have needed to deploy their considerable hacking skills to obtain it. The data has since been secured, but that is rather too late in the day.

Conservative Councillors now demand an immediate explanation from the Leader of the Council on why the City Council did not regularly check the security standards of their contractors.

Conservative Councillors also demand an assurance from the Leader of the Council that every resident whose personal data supplied to the Council was in the 655 gigabytes on public display will be contacted immediately by the City Council with an apology and an explanation of what might have been revealed. We appreciate that this is a massive task because GrayHatWarfare imply that upwards of 30,000 customer records may be involved. But nevertheless it must be done.