London Council Reprimanded Over Personal Information Exposure

share
Header image

London Council Reprimanded Over Personal Information Exposure

share

Information was available for two years, ICO claims.


The London Borough of Hammersmith and Fulham has been reprimanded by the ICO after it exposed the personal information of 6,528 people for almost two years.

In a statement, the ICO said the data breach occurred when the council responded to a freedom of information (FOI) request and the response contained 10 workbooks which included personal information, and an Excel spreadsheet which contained 35 hidden workbooks.

Almost two years later in November 2023, following a review of information on its site, WhatDoTheyKnow.com (WDTK) informed the council the response included personal information, which was immediately removed from both sites.

In total, 6,528 people were affected, with 2,342 being children. The personal information relating to the children was classed as sensitive as it included details of looked after children, 96 of whom were unaccompanied asylum-seeking children.

Sally Anne Poole, ICO Head of investigations said: “It is imperative all staff are trained regularly and internal guidance and sign off protocols are reviewed on a continual basis to ensure breaches do not happen.

“In publicising this reprimand, we aim to highlight the importance of having the correct policies and procedures in place to mitigate against these types of preventable error.”  

Mitigating Factors

The ICO said it took into account a number of mitigating factors including the published personal information was almost three years old and there was no evidence that it had been inappropriately accessed or used in reaching its final decision.

“We also considered the remedial action the council took to contain the impact of the breach notably updating guidance and procedures and ensuring staff undertook training.”  



Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Data BreachRegulation, Laws, Guidance Published: 21 May Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Upcoming Events

No events found.

Related content

NCSC unveils coordinated NHS cyber resilience plan

NCSC unveils coordinated NHS cyber resilience plan

 The New FCA Rules Highlight The Financial Sector Supply Chain Challenge

The New FCA Rules Highlight The Financial Sector Supply Chain Challenge

 Hijacked NHS Scotland domains push adult content

Hijacked NHS Scotland domains push adult content
TMAC fined by UK for unsolicited marketing calls

TMAC fined by UK for unsolicited marketing calls

 UK watchdog raises concerns over Jaguar Land Rover's cyber bailout

UK watchdog raises concerns over Jaguar Land Rover's cyber bailout

 New cyber incident reporting rules unveiled by UK's FCA

New cyber incident reporting rules unveiled by UK's FCA
Stryker dismisses malware use, data theft following cyberattack

Stryker dismisses malware use, data theft following cyberattack