Gloucester City Council fined £100,000 after hacker accesses 'sensitive personal information'

The Information Commissioner’s Office (ICO) has fined Gloucester City Council £100,000 after a cyber attacker accessed council employees’ sensitive personal information.

The attacker took advantage of a weakness in the council’s website in July 2014, which led to over 30,000 emails being downloaded from council mailboxes. The messages contained financial and sensitive information about council staff.

The ICO has state that despite their well publicised warnings about the ‘Heartbleed’ software flaw which the attacker exploited, the council failed to repair the vulnerability in a timely manner, leaving personal information at risk and breaking data protection law.

The ICO investigation found that the council did not have sufficient processes in place to ensure its systems had been updated while changes to suppliers were made. The attacker contacted them claiming to be part of Anonymous, a group known for attacks on websites.

A blog post published by the ICO has advice for UK businesses on how they can protect themselves from ransomeware attacks.