UK councils report over 5,000 data breaches in 2023

A Freedom of Information (FoI) request by Apricorn has revealed that local councils in the UK reported over 5,000 data breaches during 2023. The data disclosed highlights widespread issues with data protection across several councils, including a lack of compliance with key data protection regulations.

Kent County Council recorded the highest number of breaches with 734 incidents between January 2023 and December 2023. Surrey County Council followed with 665 breaches and Norfolk Council reported 605. Other significant numbers included Warwickshire County Council with 495 breaches and East Sussex with 490.

"We are familiar with the fact organisations suffer data breaches, particularly those housing valuable customer data. That said, the excessive number of breaches being declared is concerning. These government organisations should be setting a precedent in terms of data protection. Whilst we know there is no silver bullet for preventing a breach, multiple steps and processes can be put in place to limit the risks of a breach," stated Jon Fielding, Managing Director, EMEA Apricorn.

Warwickshire County Council indicated that its devices are not encrypted, instead relying on Multi-Factor Authentication (MFA) to access systems via laptops or mobiles. Although devices can be remote wiped and data stored on applications or shared network drives, this does not fully mitigate the risk if devices are lost or stolen.

Surrey County Council revealed that it does not track USB devices, leaving these memory sticks as the responsibility of individual departments. This lack of tracking and documentation could contribute to significant breaches that could go undetected if items are misplaced.

Fielding suggested, "By implementing security tools and practices such as deploying removable storage devices with built-in hardware encryption, government departments can roll this out across the organisation, ensuring all data can be stored or moved around safely offline. Even if the device is lost or stolen, the information will be unintelligible to anyone not authorised to access."

Particularly concerning is that Lancashire County Council does not record or document lost and stolen devices. This lack of documentation could lead to non-compliance with data protection regulations like the General Data Protection Regulation (GDPR), posing a serious risk to customer data security.

Without proper records, Lancashire County Council may face challenges demonstrating accountability and transparency in handling sensitive information. This gap could result in severe consequences, including financial penalties and reputational damage, along with potential harm to individuals from the loss of personally identifiable information.

Lancashire County Council has been urged to prioritise the implementation of robust documentation procedures. Fielding concluded, "Failing to properly document and report lost and stolen devices not only compromises the privacy and security of individuals' information but also undermines the trust and credibility of the council. The council should prioritise promptly reporting incidents to the appropriate authorities, conducting thorough investigations, and taking immediate action to mitigate any potential data breaches and demonstrate a commitment to protecting the privacy and security of its constituents' data."