Password data breach ‘a wake-up call’ and example of ‘poor practice’

A significant password data breach within East Devon District Council has been slammed as a ‘wake-up call’ and an example of ‘poor practice’.

Daniel Clark 

Passwords used by some of the 60 strong East Devon District Council were made available to other councillors as a result of the data breach that was uncovered at the start of November 2020.

Swift action was taken to rectify the breach, with councillors having their passwords reset, and passwords were not visible to the public at any stage.

The password information pertained to Office 365 users and also the Airwatch software the council uses, and it is understood that Strata, East Devon District Council’s IT provider, at some stage had taken the decision to add the both Airwatch and Outlook 365 passwords to the individual councillor profiles, and as such, the data breach meant passwords were available to other members.

Details confirming East Devon’s use of both the Airwatch and Office 365 platforms were publicly available in documents in the council’s website prior to the data breach occurring.

East Devon District Council’s cabinet, when they met on Wednesday night to consider the breach, heard that because some Members were able to see passwords, it represented a technical data protection breach and that it was clearly poor practice not to protect sensitive information from those not entitled to see it.

Strata had also confirmed categorically that there was no public visibility to the password information and that the likelihood of councillor passwords and emails being compromised by other councillors appears very low.

But councillors said the issue was a ‘wake-up call’ and that the inability for councillors to set their own passwords had been raised back in May 2019 but had not been actioned, with them uncomfortable that all passwords had been stored on a spreadsheet, albeit one that had only very limited access and that the council’s monitoring officer, Henry Gordon Lennox, when compiling the report found he was unable to access.

Cllr Paul Millar, who discovered the breach, said that it was a very sad situation and that he was not being a ‘captain hindsight’ about his concerns.

He said: “As soon as I became a councillor and I received the councillor iPad I made representations to Strata that I was uncomfortable that I wasn’t able to set or amend or change the password at the time, and I was uncomfortable that others had my password, and my fears were justified.

“There was a spreadsheet in Blackdown House with the passwords of all members on it. I discovered the breach, I am disappointed that despite members raising the concerns and being able to set your own password is standard practice, I was disappointed that my and others concerns were not acted on before the breach occurred.”

Asked to explain how he discovered the data breach, Cllr Millar said that he was on his android phone on Office 365 in his emails and he discovered another councillor’s password was visible on their profile.

He said that he checked his own profile and his password was visible, and thought that it could be the same for others, and immediately reported the issue to Strata.

Cllr Millar added: “My worry remains that as councillors we have extremely sensitive data in the email accounts and as much as it was only other councillors who could see the information, we are going through nasty political times in the council, and had another councillor seen the password, they may have hacked into their emails.

“Lessons have been learnt and we need to implement the changes needed to ensure this never happens again and have that multi-faceted verification.”

Cllr Fabian King said that the line in the report that ‘the risk appeared very low’ was ‘a fairly gentle remark’ but was ‘a wake-up call’.

He added: “The report concentrates on fixing the breach which is commendable and Strata provides a very good service all round, but this is a wake-up call. Any invitation to have a ‘look over the wall’ could be very tempting and given the opportunity, people may be tempted to see what is going on.

“We need to acknowledge that over a length of time, internal measures of this sort are rather incestuous, and I do believe that we need to give room for an independent audit.”

Laurence Whitlock, Strata IT Director, in his report to the meeting, said: “Such incidents are treated seriously by Strata. It is clear that once notified of the disclosure, Strata reacted very quickly and professionally in mitigating the risk and identifying the root cause.

“The key critical point is that it can be confirmed that external visibility of the password information by individuals residing outside of the Strata provisioned Office365 environment would not have been possible, primarily because of the secure way in which the Strata Office365 environment has been designed, built and deployed.

“Hence, Strata can confirm categorically that there was no public visibility to the password information. In addition, the likelihood of Councillor passwords and emails being compromised by other Councillors appears very low and any misuse of the password information would have been in contravention of the Computer Misuse Act 1990.”

He added: “There is no evidence to suggest that there has been any unauthorised or malicious use of passwords during the log period of August 11, 2020 until November 13, 2020. In all likelihood, had there been any unauthorised activity prior to the log period, this would have continued during the log period itself.

“Based on Strata’s investigation coupled with Strata’s determination of the likely timeframe when the passwords actually became visible, it is Strata’s professional judgement that in reality the likelihood of the passwords having been compromised by other Councillors at any time is very low.

“Strata reported the incident to the Information Commissioners Office (ICO), who have reviewed the case and due to the speed of the Strata response and the controls in place, the ICO have concluded no further action is necessary and the case has been closed.

“The root cause of the incident was rapidly identified by Strata and corrective measures put in to place immediately and there was no wider risk of threat to the Council’s IT systems.”

Key lessons learned and recommendations that have been identified as result of this incident, the cabinet heard, was that councillors need to be provided with the ability to manage their own passwords, irrespective of how complex the delivery of such functionality is.

The report said: “Whilst this may make the support of councillor devices and applications more difficult, a solution to this issue needs to be identified, procured and implemented.”

Other lessons included that Strata security practices need to be reviewed regularly to ensure that there are no weaknesses in access controls, the security of data and in particular passwords is all staff’s responsibility and any evidence of poor practice should be reported immediately, but that the issue of others being able to see passwords in a list and the use of similar passwords is clearly poor practice and steps, such as appropriate training and reminders to staff, will be undertaken to seek to avoid a repeat event.

The meeting that it would not be until around April before the processes were changed so that councillors would have the ability to set and reset their own passwords.

Cllr John Loudoun, in recommending that the cabinet note the report, also called for the Devon Audit Partnership to carry out an audit of Strata’s process, and for the South West Audit Partnership to take a look at East Devon’s data processes.

He said: “That would go some way to reassure and to answer the question of whether or not we want further independent reassurance.”

The Information Commissioners Office, having been asked to consider the breach, decided that no further action was necessary on this occasion.

They said: “It appears that the information was exposed to a limited number of people, and technical logs have shown that there has been no incorrect access to the data. This could reduce the risk to the data subjects.

“The personal data breach is not likely to result in a high risk to the data subjects and it appears you have the appropriate technical security measures in place to protect the personal data you process.

“After discovering the incident, steps have been taken to remove the information and to synchronise the system to contain the breach, and additional steps have been taken to change passwords to prevent any unauthorised access.

“The root cause of the incident was process based and you have changed your process for recording information to prevent another incident of this nature and it is noted that all sensitive data has been removed, which could reduce the risk of this information being disclosed.”

3 thoughts on “Password data breach ‘a wake-up call’ and example of ‘poor practice’

  1. This seems a very cursory report which skirts over the real issues. Who signed off on a policy which prevented councillors having control of their own passwords? Bearing in mind that since it was created from the internal services of the 3 authorities is that a policy inherited from one or all of these? A policy facilitating Stalinist control in an authority with a reputation for coercive control. Access by the public is a red herring issue., it’s access by an inner controlling group that is the concern. Perhaps the discovery of a spreadsheet at EDDC HQ gives a clue. Just because no unauthorised use was noted during the 3 month monitoring period can one safely assume that to be a representative appraisal. That would depend on those most likely to misuse the access being kept out of the loop. I seriously can’t see that having happened. I believe there needs to be a thorough review conducted of the pre Strata practices in the individual authorities, certainly as far as East Devon is concerned, with anyone present before that date not allowed to influence or view the work in progress before final report.


  2. So, but for Cllr Paul Millar’s alertness the situation would likely have continued. Worrying that a Strata action seems to have caused the issue and that they didn’t pick it up. Sloppy


  3. The shocking aspect of this is that Strata is reported to have stored Councillors’ passwords. That’s bad enough but then we find that these passwords were apparently displayed in Councillors’ profiles and, worse still, stored on a spreadsheet. None of this should ever have happened. Nobody should be able to see passwords. They have to be stored for technical reasons but they should be stored in a way that meets the necessary data security standards. As a minimum they must be salted and hashed. If Councillors forget passwords, they should have a forgotten password routine available to them that can only be used with two factor authentication. And I wonder how many of those Councillors use the same password for multiple systems? Do they realise that they need to change their password on all other systems that use the same one that has been compromised? Finally, if this is evidence of the EDDC approach to data protection, they need to carry out an organisation-wide data security review and make sure that there are no other areas where personal data is put at risk.

    Liked by 1 person

Comments are closed.