Authorities have complained about the lack of time taken to be notified by IT firm and wrongly being told personal data was not put at risk
More councils have come forward to indicate they have been affected by a potential data breach caused by “unsafe storage” provided by IT supplier Capita.
The incident relates to data extracted from local authorities’ systems at least two years ago and the affected councils have expressed strong disappointment about the length of time taken by Capita to alert its customers to the possible breach. One council said that, when it was notified, it was wrongly told that no personal data was put at risk.
Rochford District Council last week announced that the “personal sensitive data” of citizens may have been compromised after a cloud storage facility managed by Capita was not properly secured.
Five other authorities have now revealed that the personal data of local residents may have been breached as a result of the storage, which relate to an Amazon Web Services resource – known as a bucket – used by Capita. It is understood that data from 11 councils was stored in the facility, including eight for which the bucket contained personally identifiable information related to citizens. The storage is believed to have been secured a month ago.
Councils in Coventry, Colchester, Derby, Adur and Worthing, South Staffordshire have all now confirmed that they may have been affected. Each of these authorities said that they have self-referred the incident to the Information Commissioner’s Office.
The statement from Colchester indicated that the affected information – which it said relates to benefits data from the 2019/20 and 2020/21 years – was stored in an “unsecured Amazon data bucket… [for which] Capita has failed to maintain the necessary standards for data protection”.
The data did not contain any bank details and has since been secured, the authority said.
Richard Block, Colchester City Council’s chief operating officer, said: “The privacy and security of personal information is paramount, and we are extremely disappointed that such a serious data breach by one of our contractors has occurred. “We require all parties involved in the handling of sensitive information to adhere to the highest standards of data protection and it is unacceptable that Capita has failed to meet these required standards. As a result, we are considering what further action may be appropriate regarding Capita.” The statement from Adur and Worthing Councils said that the authority had been notified of the incident by Capita on 16 May – at which point the firm claimed that “the breach did not involve personal data”. An internal investigation – in which all affected files were reviewed – found that they “did in fact contain some personal data belonging to around 100 Adur and Worthing residents”, according to the council. “We are extremely unhappy with both the data breach itself and Capita's failure to provide us with swift and accurate information about what they have discovered,” the statement added. “We treat data protection extremely seriously and are currently identifying each and every one of our residents that has been affected. At this stage we believe that there is only a minimal risk to our residents but we will be contacting them to make them aware of what has happened and will keep them updated.
'Reviewing arrangements' A spokesperson for Coventry City Council also voiced the authority’s disappointment with the IT services firm.
"We have been belatedly informed that there has been a potential historic data breach by our financial services contractor Capita,” they said. “We are extremely concerned and disappointed by this news, not just because we take such matters very seriously but also the length of time it took to alert us. The council is committed to ensuring Capita works with us to fully understand if there has been any data breach and to implement measures to prevent a similar incident from occurring in the future. We are waiting for further clarification from Capita. We understand that this issue may cause concern among residents and apologise on behalf of Capita.”
Alison Parkin, director of financial services at Derby City Council, added: ““We’re very disappointed to hear about the incident involving one of our suppliers, Capita. We know this incident will cause concern, and we would like to apologise to our customers. We will be contacting affected customers individually, you do not need to contact us. We will continue to work with Capita and the ICO to understand the cause of the data breach and how to prevent it from happening again in the future. As part of our investigation, we will also be taking the opportunity to review the arrangements with Capita.”
A South Staffordshire Council spokesperson said: “We can confirm that we have been made aware of a potential issue with a third party supplier relating to the storage of data. The full extent of the issue is not yet fully known, however we have been assured that a full investigation is underway – the outcome of which will determine our next steps.”
The incident is second data breach affecting Capita to have become public in a matter of weeks. Last month the firm revealed that, over a nine-day period at the end of Match, attackers gained unauthoried access to a total of 4% of the firm’s servers. In subsequent updates, the company has admitted that there is “evidence of limited data exfiltration… which might include customer, supplier or colleague data” stored across 0.1% of its server estate. That incident is likely to cost Capita about £15m to £20m in costs related to specialist advice, recovery efforts, and work to upgrade its cyber infrastructure.
In response to the councils’ statements regarding the unsecured AWS bucket, a company spokesperson said: “We are working with our third-party technical advisors to investigate this issue. The data is secure and no longer accessible. Our investigations into the matter are ongoing. The privacy and security of our client information is of the utmost importance to us.”
Written by Sam Trendall on 24 May 2023
Copyright: Public Technology.net