Hackney Council is in the news again, this time for an IT blunder that publicly exposed the names and addresses of women placed in temporary accommodation for their own safety.
Less than six months after the Pysa ransomware gang stole vast amounts of data from Hackney Council and published the data on a dark web forum, the Council is in the news again for not being able to prevent yet another IT security incident that exposed the names and addresses of vulnerable citizens.
An investigation by Hackney Citizen revealed that a month after hackers published the stolen data and Hackney Council CEO pledged to tighten data security measures, senior managers at the Council misconfigured privacy settings on a free-to-use project management website, thereby exposing sensitive data to the public.
Hackney Citizen said the publicly exposed spreadsheet stored “the names and addresses of women placed in temporary accommodation for their own safety.” “Four weeks after that, a separate upload published contact details for council estate tenants who had requested repairs to boilers, buzzers, and broken doors,” it added.
The investigation found that Hackney Council also exposed more data online, including the addresses and national insurance numbers of vulnerable tenants, “case notes from a welfare check on a “frail” resident, and minutes from a high-level housing meeting that revealed the council was losing £500k a month because the cyber attack knocked out its arrears collection service.” The Council also exposed personal details of a key witness in a gang-related stabbing incident.
According to Hackney Citizen, Hackney Council uses a network of 51 ‘Trello’ boards that enables employees and contractors to manage tasks and streamline workflows. Users can set privacy settings depending on whether a dataset needs to be made public, kept private, or shared with other Council staff. The default setting is ‘workspace’, indicating that senior managers at the Council changed the privacy setting of confidential public information on their own.
After these details were published, Hackney Mayor Philip Glanville said the Council’s IT team conducted an extensive audit to close down the Trello boards but played down the incident, stating that a relatively small number of cases of personal information were exposed.
“I want to apologise on behalf of Hackney Council to residents affected by this data breach, in which a relatively small number of cases of personal information were shared publicly in error. We corrected any public access issues as soon as we were made aware of them, and have carried out an exhaustive audit of all our Trello boards to ensure there are no more corrections that need to be made.
“Hackney Council, like many local authorities, has a policy of openness. This is part of our commitment to transparency both internally and externally, and so that we can work collaboratively with other councils to improve local public services for residents. Aside from these small number of cases, our Trello boards are used in line with the council’s policies for the secure handling of personal or other sensitive data.
“We have clear measures that we take to protect the data we hold and we will continue to regularly remind staff of their responsibilities and the safeguards needed. When we fall short of the standards I, the council and residents rightly expect, that we will say so and take the necessary steps to put it right including contacting the ICO.
“This issue is completely unrelated to the cyber attack and not a reflection of our commitment to security or our recovery work,” Glanville added.
Javvad Malik, the security awareness advocate at KnowBe4, says that while the technology exists to protect the information, until the processes are put in place, and the responsibility of security is embedded into people’s roles throughout organisations, we will continue to see incidents like this happen.
“It’s why it’s also important to have assurance controls in place to validate that any externally accessible system is configured correctly and only going live once that assurance has been sought either through internal processes or via a trusted 3rd party,” he said.
“It’s one thing to accidentally leave a file available to the public when a system defaults to “public” upon upload, but it is a special kind of incompetence to mark a file as “public,” when the system default restricts the file to the internal workgroup,” says Chris Hauk, consumer privacy champion at Pixel Privacy.
“If senior administrators are performing their jobs this shoddily, I shudder to think what kind of leaks are available because of their underlings’ actions. Think before you click, people! This error left vulnerable folks open to possible attacks by their estranged partners. There is simply no excuse for this type of shoddy management.”