UK councils recorded some 5,000 data security breaches in 2023, according to responses to Freedom of Information requests submitted earlier this year by Apricorn.

Submitted through Whatdotheyknow.com in February 2024, the FoI requests show that Kent County Council declared 734 breaches between January and December 2023, whilst Surrey County Council amassed 665 and Norfolk Council 605. Other big losses included Warwickshire County Council (495) and East Sussex (490).

“We’re familiar with the fact organisations suffer data breaches, particularly those housing valuable customer data,” said Jon Fielding, managing director, EMEA Apricorn. “That said, the excessive number of breaches being declared is concerning. These government organisations should be setting a precedent in terms of data protection. Whilst we know there is no silver bullet for preventing a breach, multiple steps and processes can be put in place to limit the risks of a breach.”

Warwickshire County Council said its devices are not encrypted and the organisation relies upon the use of multi-factor authentication to access its systems. Whilst all devices have the capability to be remote wiped and all data can be either stored in applications or on shared network drives, this does not completely prevent the potential access to sensitive data should any of its devices fall into the wrong hands.

Surrey County Council, when questioned on how many USB devices had been lost or stolen, noted that peripherals are not tracked and that memory sticks are departmental responsibility. Again, this is concerning as devices are not being accurately tracked and documented which could result in a major breach that the council would be unaware of if the items are unknowingly misplaced.

In its response to queries regarding the number of lost and stolen devices within the organisation, Lancashire County Council said that it does not record/document this information, putting it at risk of failed compliance with data protection regulations, such as the General Data Protection Regulation and posing a significant threat to customer data security.

“Failing to properly document and report lost and stolen devices not only compromises the privacy and security of individuals' information but also undermines the trust and credibility of the council, Fielding added. “Lancashire County Council should prioritise the implementation of robust documentation procedures. This includes promptly reporting incidents to the appropriate authorities, conducting thorough investigations and taking immediate action to mitigate any potential data breaches and demonstrate commitment to protecting the privacy and security of its constituents' data.”

---