A recent investigation by the Hackney Gazette revealed that vulnerable residents’ personal data was made available to anyone who had access to a workspace link the council was using on the Trello project management platform. Shockingly, no one at Hackney Council seemed to realise the error, only resolving the issue after Hackney Gazette journalists notified them. The Gazette’s investigation indicates this data was publicly available – including via Google – between February and July this year.
Vulnerable women and their children put at risk by latest data breach
What makes this particular incident even worse is that the data included the names, addresses, and other personal details of women who were victims of domestic abuse and had been accommodated by the council for their safety. In several instances, the women in question were also living with young children.
This incident is the latest debacle in what we might call a comedy of data breach errors were the potential consequences not so severe. Thankfully, there have to date been no reports of personal data falling into sinister hands, but that does nothing to take away from the severity of this data breach.
A year of shame for Hackney Council
The following list details just some of the other known data breach incidents experienced by Hackney Council over the past 12 months:
- In October 2020, the council was the victim of a ransomware attack. The council refused to pay the ransom demand, and cybercriminals behind the attack subsequently released a trove of stolen data and confidential documents in early 2021.
- In late 2020, a spreadsheet was made available detailing contact details for social housing tenants who were awaiting repairs for things like their boiler.
- A screenshot showing a vulnerable resident’s address and national insurance number was made publicly available online.
- The council uploaded case notes from a welfare check on a vulnerable resident, which were again available to anyone with the link or that could find it.
- The council named a witness in a gang-related stabbing by posting links to a poorly redacted police report in a YouTube video.
- Finally, the council uploaded minutes from a meeting that revealed it was losing £500,000 a month as the October 2020 incident had hit its arrears collection data and services.
While in some data breach incidents, the blame is put down to inexperienced workers not knowing how to use systems, senior Council IT managers are believed to be responsible for all of these incidents.
Gazette investigation uncovers widespread data availability
The YouTube incident described above is what triggered the Hackney Gazette’s investigation.
The paper reported that within just a week, it had found 51 Trello workspaces being used by over 200 council workers and contractors, which were also available for the public to access.
Potentially grave consequences following data breach
While the council says it never publishes the exact location of buildings used for housing vulnerable residents, including domestic abuse victims, the spreadsheet uploaded and publicly available was unredacted.
One individual whose details were included in the data breach, Lydia Afrakomah, told the Local Democracy Reporting Service, “I trusted the council to protect me. When I was made homeless I was at their mercy. I thought they would keep me and my daughter safe – but this feels like a betrayal…That place isn’t safe now, because those partners could find out where the council takes vulnerable women.”
Ngozi Fulani, a domestic violence campaigner, told the Service, “Vulnerable women could have been killed because of this…They might still be killed because of it. Perpetrators stop at nothing.”
Hackney Mayor, Philip Glanville, said, “I want to apologise on behalf of Hackney Council to residents affected by this data breach, in which a relatively small number of cases of personal information were shared publicly in error.
“We corrected any public access issues as soon as we were made aware of them, and have carried out an exhaustive audit of all our Trello boards to ensure there are no more corrections that need to be made.”
Despite the series of incidents over the past year, Mr Glanville said Hackney Council has clear data protection policies in place, and was constantly working with staff to remind them of their obligations and responsibilities around data security and privacy.
He added, “When we fall short of the standards I, the council and residents rightly expect, that we will say so and take the necessary steps to put it right including contacting the ICO.
“This issue is completely unrelated to the cyberattack and not a reflection of our commitment to security or our recovery work.”
Information Commissioner’s Office set to take an interest in Hackney Council
Hackney Council’s catalogue of data breach incidents over the past year has, unsurprisingly, gotten the attention of the Information Commissioner’s Office (ICO).
Neighbouring Newham Council currently has the dubious “honour” of holding the record for the biggest fine levied against a local authority, having been fined £145,000 in April 2019 for emailing a database of suspected gang members to over 40 recipients without authorisation.
Given Hackney Council’s track record over the past 12 months, a far more significant fine is likely headed their way following the conclusion of the ICO’s investigation.
Have your personal details been disclosed by one of Hackney Council’s data breach incidents? Contact LawPlus today to tell us about how the incident has affected you. While we will await the outcome of any ICO investigation before opening any data breach claim on your behalf, knowing how you have been affected by these incidents will help us to start building your case.