The worst councils in the UK for data breaches in the last five years

Laptop with code on the screen and fingers on keyboard in a dark background

For so many of us, where we live is one of the most important aspects of our lives. We spend every day inside of our homes and our local communities, so making sure they work for us and help us to thrive is key.

Of course, things do go wrong. Whether that’s feeling like our town may be lacking key features, or even struggling to pay our tax. Sometimes we need a helping hand to get where we live feeling like home again.

Luckily, we have plenty of institutions there to help us when something needs to be fixed.

Local Councils possess lots of sensitive data

What-is-Ransomware-IconOur local councils are the people we trust to look after the most important parts of our lives, but what happens when they can’t keep our extended selves safe?

To be able to monitor streets, homes and local organisations whilst improving the streets we live on, councils have to store our personal data.

That ranges from your date of birth, down to whether or not you live alone – all private information that you wouldn’t want to shout out to the world.

But whilst they need our key information to be able to do what’s best for us, this can lead to our privacy being invaded thanks to data breaches.

Data breach definition

Data breach meaning: A data breach is an incident where data is seen by an unauthorised individual or group, compromising the private nature of the information. When looking at businesses or organisations, this can be personal information from a client/customer, or internal data such as sales figures of expense sheets.

UK Council data breaches

GDPR on computer screenWe wanted to see where in the UK experiences the most amount of data breaches in their local councils. We know that institutions often undertake extensive security training and follow preventative measures such as abiding by GDPR rules.

But despite this, breaches still happen, and your private information can be compromised.

So, we sent out Freedom of Information (FOI) requests to 103 county councils across the UK, questioning them on their data breaches over the last five years. Of those contacted, 79 responded.

Focusing on the breaches caused by human error, we found the councils that have experienced the largest number of data breaches of their community’s private information.

Our analysis also revealed to us the councils managing to avoid data breaches due to human error, and where in the UK has seen the most improvement over the last five years.

Largest number of breaches

HampshireThe FOI results highlighted Hampshire County Council as the UK’s worst council for human error-caused data breaches. Since 2016, the council has recorded 3759 – with the years 2018 to 2019 experiencing the most with 902 breaches.

2020 to 2021 has seen a slight decline after the council recorded 831 breaches, but these recent numbers show a growing problem.

Between 2016 and 2017, Hampshire County Council recorded 556 data breaches, which shows a 49% increase!

CouncilTotal data breaches
Hampshire County Council3759
Gloucestershire County Council2723
Lancashire County Council1260
Warwickshire County Council1252
East Sussex County Council1250
Norfolk County Council1226
Oxfordshire County Council1181
Suffolk County Council1161
North Yorkshire County Council1106
Wiltshire Council1028
West Sussex County Council966
Surrey County Council952
Cambridgeshire County Council908
East Riding of Yorkshire Council844
Cheshire East Council797

However, the FOI results showed despite Gloucestershire County Council being the second worst council for data breaches with 2,723 since 2016 – they have seen the largest increase.

Between 2016 to 2017, Gloucestershire County Council recorded just 90 data breaches of the community’s private information. However, in 2020 to 2021 they recorded 1,004 which is their worst year to date – revealing a 1016% increase in just five years.

Our FOI request revealed to us that Lancashire County Council is the third-worst council in the UK for experienced human error caused data breaches. Recording 1,260 breaches overall, the council did not have data available for any breaches that occurred between 2016 to 2017.

This could mean that there were in fact more breaches occurring within Lancashire County Council in the last five years, meaning the 106% increase since 2016 could be higher.

Warwickshire and East Sussex Councils were fourth and fifth, after our FOI results revealed they experienced 1,252 and 1,250 data breaches respectively.

Warwickshire County Council experienced the majority of its data breaches between 2018 to 2019 – recording 356. However, East Sussex Council recorded the most between 2020 to 2021 with 351.

Of course, whilst not every council recorded thousands of breaches, plenty experienced their fair share of human error leading to private information being compromised.

Despite not having any data available for the period 2016 to 2018, West Sussex Council recorded 996 breaches in just three years. Just over a third of these breaches (335) were between 2020 to 2021.

Cambridgeshire County Council placed in the ‘top’ 15 councils experiencing the most human error caused data breaches too with 908 overall. Their worst years were between 2019 to 2020, recording 289 breaches – an increase of 201 more than between 2016 to 2017 (232% increase).

Visualisation: UK Council Data breaches 2016 – 2021

Some councils did pretty well

Thankfully, not all councils that responded to our FOI request experienced huge numbers of breaches. However, many followed similar patterns, with the number of breaches increasing throughout the last five years – perhaps due to technology becoming the main way of storing data.

Flintshire County Council’s FOI response highlights this. They recorded 30 data breaches caused by human error between 2016 to 2017. By 2021, the council had seen an increase of 253% with the latest figures showing 106 breaches.

Similar numbers can be seen in Pembrokeshire County Council’s response too. With 27 breaches between 2016 to 2017 rising to 106 between 2020 to 2021 – a 293% increase.

The Scottish council, Shetland Islands Council reported a much smaller number of breaches in comparison to English councils.

Since 2016, they’ve seen just 49 instances of private information being compromised by a breach. Their worst year was 2020 to 2021, recording 16 breaches so far.

But despite these impressive numbers, some councils have managed to avoid even more breaches.

Smallest number of breaches

However, not all councils have seen human error resulting in the breach of their community’s private information.

Armagh City, Banbridge and Craigavon Borough Council have recorded just four data breaches since 2016, two between 2016 and 2017 and the other two between 2019 and 2020.

Mid and East Antrim Borough Council boast similarly low numbers, with five being recorded between 2018 to 2019, and just one breach between 2019 to 2020.

Visualisation: UK Council Data breaches 2016 – 2021

CouncilTotal data breaches
Armagh City, Banbridge and Craigavon Borough Council4
Mid and East Antrim Borough Council6
Derry City and Strabane District Council10
Mid Ulster District Council – Dungannon10

Out of all the councils who responded, those were the only two councils to have recorded single-digit numbers of human error-caused data breaches.

Derry City and Strabane District Council recorded ten in the last five years, as well as Mid Ulster District Council.

Most improved

Thankfully, some councils across the UK have managed to get their human error-caused data breaches under control.

Our FOI request results revealed that Essex County Council has seen a huge change in their data breaches. Between 2017 to 2018, they recorded 135 instances of private data being compromised. However, this figure has steadily decreased over the following years, to just 19 breaches between 2020 to 2021 – an 86% decrease.

Central Bedfordshire Council saw a similar trend, as between 2018 to 2020 they averaged at 55 breaches a year. However, 2020 to 2021 saw just 35 breaches recorded – a 36% decrease.

Ards and North Down Borough Council had much fewer data breaches recorded in comparison with other councils, and have even managed to reduce them over the years too.

The number of the council’s breaches peaked in the years between 2018 to 2019, with 21 recorded instances. However, by 2021, they found just five instances in which private information was compromised.

However, despite these improvements, the UK’s councils saw a total of 33,645 human-caused data breaches compromising private information in the last five years.

So, next time you’re thinking of applying for planning permission, or even just asking for a second recycling bin – be aware of who you’re giving your data to and how it’s going to be handled.

Methodology

We’ve submitted FOI to all English County Councils, Local Scottish councils, local Northern Ireland councils and Welsh local councils. An FOI was sent on the 3rd of September 2021. 79 councils replied.

Cybersecurity analyst
David is a cybersecurity analyst and one of the founders of VPNoverview.com. Since 2014 he has been gaining international experience working with governments, NGOs, and the private sector as a cybersecurity and VPN expert and advisor.