The Information Commissioner's Office (ICO) has announced that a former employee of Nuneaton and Bedworth District Council was fined £660 and asked to pay £713.75 in costs after he was found guilty of accessing personal data of several job applicants and sharing them with his partner who was also an applicant.
In a clear example of why local councils across the UK are being urged to implement privileged access management to prevent the leakage of sensitive information to unauthorised employees, a former employee at Nuneaton and Bedworth District Council was recently found to have illegally accessed the authority’s recruitment system to gain access to CVs and personal information of several people who had applied for an administrative job.
Kevin Bunsell, the said employee, did so in order to help his partner who had also applied for the same administrative position. Details that he shared with his partner included names, addresses, telephone numbers and CVs of each candidate, along with contact details for each of their two referees.
Following the discovery of the breach, Bunsell, who till then served as the council's Head of Building Control, resigned and his partner's appointment was cancelled. Recently, Nuneaton Magistrates’ Court fined Bunsell £660 and ordered him to pay £713.75 costs and a victim surcharge of £66 after he pled guilty.
“People who supply their personal information to an organisation in good faith, such as when applying for a job, have a legal right to expect it will be treated lawfully and ethically. Not respecting people’s legal right to privacy can have serious consequences, as this case demonstrates. Not only might you face a prosecution and fine, along with the attendant publicity, but you may also lose your job and severely damage your future career prospects," said Steve Eckersley, Director of Investigations at the ICO.
Local councils need to do more to secure their systems
Following the arrival of GDPR, local councils across the UK are being offered GDPR-related training and additional funds to secure their IT systems but a lot more needs to be done to completely secure their systems from emerging cyber risks that include the human factor.
For instance, in April last year, cyber criminals gained access to "an IT storage portal" owned by Lewisham Council and possibly gained access to financial information of over 6,000 residents of Lewisham borough. The compromised IT storage portal was not connected to its core IT system but contained confidential personal and financial records of thousands of citizens who either used the council's housing benefit services or were childminders.
"It’s inevitable that hackers will at some point breach a company’s network, so the focus must shift to preventing hackers from exfiltrating sensitive data. Deploying data-centric security technology can remove the risk factor associated with these threats because even if someone has access to the data, they are prevented from copying, moving or deleting it without approval, a useful countermeasure to ransomware attacks," said Naaman Hart, Managed Services Security Engineer at Digital Guardian.
"Implementing data-aware advanced threat products – which can nullify the effects of mass encryption of files – and maintaining a robust backup policy allowing the recovery of any encrypted files, are two other proactive steps that can be taken to strengthen your position against ransomware. Know your data, prevent unauthorised data use or alteration, and ensure you have a solid recovery mechanism," he added.