Devon council data leak under investigation

A significant password data breach involving East Devon councillors has been uncovered – and is now under investigation by the Information Commissioner’s Office.

Owl can confirm that they failed to spot the data breach! (The article contains a splendid photo of “Colditz”.) 

Daniel Clark www.devonlive.com

Passwords used by at least 37 of the 60 strong East Devon District Council were briefly made publicly available as a result of the data breach that happened at the start of November.

Swift action was taken to rectify the breach, with councillors having their passwords reset.

It is understood that Strata, East Devon District Council’s IT provider, at some stage took the decision to add the both Airwatch, and Outlook 365 passwords to the individual councillor profiles, and as such, the data breach meant passwords were available.

It also meant that all the data within the councillors’ emails, which could have included confidential information such as probation reports, medical info and electoral register data, could have been accessed by other council members.

The Strata team acted quickly to reset the passwords and notified the Information Commissioners’ Office of the breach, and a full report will come before the council’s cabinet in 2021.

Cllr Paul Millar, who discovered the initial data breach, asked questions around the issue at Wednesday’s full council meeting.

He asked of Cllr Jess Bailey, Portfolio Holder for Corporate Services, what her assessment of the recent significant password data breach for Members, what steps is she taking to ensure that the appropriate safeguards are introduced to prevent the same or similar situation from happening again, and when will Cabinet receive a report?

In response, Cllr Bailey said: “Whilst I recognise that this is a serious matter, I have been sufficiently reassured such that in my view the actual risk of anything untoward having occurred is extremely low.

“Quick and early responsive action was taken to rectify the issue – acknowledged by the ICO – and I understand that the issue is very specific and, as such, is highly unlikely to result in any wider implications for the rest of the Council’s systems.

Blackdown House, East Devon District Council\'s new HQ in Honiton

Blackdown House, East Devon District Council\’s new HQ in Honiton

“The investigation report from Strata, which will come to Cabinet in the near future, will address this and I have been reassured that the Council’s Data Protection Officer will be ensuring that the recommendations and any mitigation actions identified are appropriate and that they will be implemented.”

As a supplementary, Cllr Millar asked for a yes or no answer to the question of ‘can you offer a categorical assurance that my emails and the data of many residents inside those emails were accessed by a third party?’

Cllr Bailey replied: “There will be a report coming through and once that’s available will be brought through,” to which Cllr Millar said: “That’s a no then.”

After the meeting, he added: “The Portfolio Holder’s evasive answer to my question confirms that she does not appear have any handle on an extremely significant data protection issue within the Council.

“There are simply no grounds to suggest that the risk is “extremely low” as she suggested in her written answer to me.

“I look forward to a proper explanation on behalf of the residents in my Ward that my email password and sensitive data will never be able to be viewed by third parties.

“There is no doubt of the seriousness of this situation and I have to say that I am very unimpressed with the Portfolio Holder’s total lack of urgency in terms of providing Members and residents with the much-needed clarity and peace of mind that she is personally on the case..”

A spokesman for East Devon District Council said there was nothing more they wanted to say in addition to the answer from the portfolio holder.