Data breach at East Devon District Council

Information Commission investigating

A significant password data breach involving East Devon councillors has been uncovered and is under investigation by the Information Commissioners Office.

Passwords used by at least 37 of the 60 councillors at East Devon District Council were briefly available to other councillors in the breach in November. Swift action was taken to rectify the breach, with councillors having their passwords reset.

It is understood that Strata, East Devon District Council’s IT provider, at some stage took the decision to add two passwords to individual councillor profiles which could then be read by other people. It also meant that all the data within the councillors’ emails, which could have included confidential information such as probation reports, medical information and electoral register data could have been accessed by other council members.

Strata notified the Information Commissioners Office of the breach and a full report will come before the council’s cabinet next year.

Cllr Paul Millar, who discovered the initial data breach, asked questions around the issue at a full council meeting. He asked Cllr Jess Bailey, portfolio holder for corporate services to give her assessment of the password data breach and what steps were being taken to prevent a similar situation. She said: “Whilst I recognise that this is a serious matter, I have been sufficiently reassured such that in my view the actual risk of anything untoward having occurred is extremely low.

“Quick and early responsive action was taken to rectify the issue – acknowledged by the ICO – and I understand that the issue is very specific and, as such, is highly unlikely to result in any wider implications for the rest of the Council’s systems.

Cllr Millar also asked for a yes or no answer to the question: "can you offer a categorical assurance that my emails and the data of many residents inside those emails were accessed by a third party?"

Cllr Bailey replied: “There will be a report coming through and once that’s available will be brought through,” to which Cllr Millar said: “That’s a no then.”

After the meeting, he added: “The portfolio holder’s evasive answer to my question confirms that she does not appear have any handle on an extremely significant data protection issue within the council. There are simply no grounds to suggest that the risk is “extremely low” as she suggested in her written answer to me.

“I look forward to a proper explanation on behalf of the residents in my Ward that my email password and sensitive data will never be able to be viewed by third parties. There is no doubt of the seriousness of this situation and I have to say that I am very unimpressed with the Portfolio Holder’s total lack of urgency in terms of providing Members and residents with the much-needed clarity and peace of mind that she is personally on the case.”

A spokesman for East Devon District Council said there was nothing more they wanted to say in addition to the answer from the portfolio holder.