A significant password data breach within East Devon District Council has been slammed as a ‘wake-up call’ and an example of ‘poor practice’.
Daniel Clark www.devonlive.com
Passwords used by some of the 60 strong East Devon District Council were made available to other councillors as a result of the data breach that was uncovered at the start of November 2020.
Swift action was taken to rectify the breach, with councillors having their passwords reset, and passwords were not visible to the public at any stage.
The password information pertained to Office 365 users and also the Airwatch software the council uses, and it is understood that Strata, East Devon District Council’s IT provider, at some stage had taken the decision to add the both Airwatch and Outlook 365 passwords to the individual councillor profiles, and as such, the data breach meant passwords were available to other members.
Details confirming East Devon’s use of both the Airwatch and Office 365 platforms were publicly available in documents in the council’s website prior to the data breach occurring.
East Devon District Council’s cabinet, when they met on Wednesday night to consider the breach, heard that because some Members were able to see passwords, it represented a technical data protection breach and that it was clearly poor practice not to protect sensitive information from those not entitled to see it.
Strata had also confirmed categorically that there was no public visibility to the password information and that the likelihood of councillor passwords and emails being compromised by other councillors appears very low.
But councillors said the issue was a ‘wake-up call’ and that the inability for councillors to set their own passwords had been raised back in May 2019 but had not been actioned, with them uncomfortable that all passwords had been stored on a spreadsheet, albeit one that had only very limited access and that the council’s monitoring officer, Henry Gordon Lennox, when compiling the report found he was unable to access.
Cllr Paul Millar, who discovered the breach, said that it was a very sad situation and that he was not being a ‘captain hindsight’ about his concerns.
He said: “As soon as I became a councillor and I received the councillor iPad I made representations to Strata that I was uncomfortable that I wasn’t able to set or amend or change the password at the time, and I was uncomfortable that others had my password, and my fears were justified.
“There was a spreadsheet in Blackdown House with the passwords of all members on it. I discovered the breach, I am disappointed that despite members raising the concerns and being able to set your own password is standard practice, I was disappointed that my and others concerns were not acted on before the breach occurred.”
Asked to explain how he discovered the data breach, Cllr Millar said that he was on his android phone on Office 365 in his emails and he discovered another councillor’s password was visible on their profile.
He said that he checked his own profile and his password was visible, and thought that it could be the same for others, and immediately reported the issue to Strata.
Cllr Millar added: “My worry remains that as councillors we have extremely sensitive data in the email accounts and as much as it was only other councillors who could see the information, we are going through nasty political times in the council, and had another councillor seen the password, they may have hacked into their emails.
“Lessons have been learnt and we need to implement the changes needed to ensure this never happens again and have that multi-faceted verification.”
Cllr Fabian King said that the line in the report that ‘the risk appeared very low’ was ‘a fairly gentle remark’ but was ‘a wake-up call’.
He added: “The report concentrates on fixing the breach which is commendable and Strata provides a very good service all round, but this is a wake-up call. Any invitation to have a ‘look over the wall’ could be very tempting and given the opportunity, people may be tempted to see what is going on.
“We need to acknowledge that over a length of time, internal measures of this sort are rather incestuous, and I do believe that we need to give room for an independent audit.”
Laurence Whitlock, Strata IT Director, in his report to the meeting, said: “Such incidents are treated seriously by Strata. It is clear that once notified of the disclosure, Strata reacted very quickly and professionally in mitigating the risk and identifying the root cause.
“The key critical point is that it can be confirmed that external visibility of the password information by individuals residing outside of the Strata provisioned Office365 environment would not have been possible, primarily because of the secure way in which the Strata Office365 environment has been designed, built and deployed.
“Hence, Strata can confirm categorically that there was no public visibility to the password information. In addition, the likelihood of Councillor passwords and emails being compromised by other Councillors appears very low and any misuse of the password information would have been in contravention of the Computer Misuse Act 1990.”
He added: “There is no evidence to suggest that there has been any unauthorised or malicious use of passwords during the log period of August 11, 2020 until November 13, 2020. In all likelihood, had there been any unauthorised activity prior to the log period, this would have continued during the log period itself.
“Based on Strata’s investigation coupled with Strata’s determination of the likely timeframe when the passwords actually became visible, it is Strata’s professional judgement that in reality the likelihood of the passwords having been compromised by other Councillors at any time is very low.
“Strata reported the incident to the Information Commissioners Office (ICO), who have reviewed the case and due to the speed of the Strata response and the controls in place, the ICO have concluded no further action is necessary and the case has been closed.
“The root cause of the incident was rapidly identified by Strata and corrective measures put in to place immediately and there was no wider risk of threat to the Council’s IT systems.”
Key lessons learned and recommendations that have been identified as result of this incident, the cabinet heard, was that councillors need to be provided with the ability to manage their own passwords, irrespective of how complex the delivery of such functionality is.
The report said: “Whilst this may make the support of councillor devices and applications more difficult, a solution to this issue needs to be identified, procured and implemented.”
Other lessons included that Strata security practices need to be reviewed regularly to ensure that there are no weaknesses in access controls, the security of data and in particular passwords is all staff’s responsibility and any evidence of poor practice should be reported immediately, but that the issue of others being able to see passwords in a list and the use of similar passwords is clearly poor practice and steps, such as appropriate training and reminders to staff, will be undertaken to seek to avoid a repeat event.
The meeting that it would not be until around April before the processes were changed so that councillors would have the ability to set and reset their own passwords.
Cllr John Loudoun, in recommending that the cabinet note the report, also called for the Devon Audit Partnership to carry out an audit of Strata’s process, and for the South West Audit Partnership to take a look at East Devon’s data processes.
He said: “That would go some way to reassure and to answer the question of whether or not we want further independent reassurance.”
The Information Commissioners Office, having been asked to consider the breach, decided that no further action was necessary on this occasion.
They said: “It appears that the information was exposed to a limited number of people, and technical logs have shown that there has been no incorrect access to the data. This could reduce the risk to the data subjects.
“The personal data breach is not likely to result in a high risk to the data subjects and it appears you have the appropriate technical security measures in place to protect the personal data you process.
“After discovering the incident, steps have been taken to remove the information and to synchronise the system to contain the breach, and additional steps have been taken to change passwords to prevent any unauthorised access.
“The root cause of the incident was process based and you have changed your process for recording information to prevent another incident of this nature and it is noted that all sensitive data has been removed, which could reduce the risk of this information being disclosed.”