Hosting firm exposes councils’ lax cyber security
Poor data security from several of the UK’s local councils has left sensitive expenditure information openly available on the internet.
Web hosting specialist UKFast has exposed the appalling level of data protection ignorance which left details of one council’s £83m spend – including suppliers’ contact details and prices – as simple to find and download as an MP3 track.
A quick Google search revealed numerous databases from both businesses and local government. Although some of the data is available to the public through the Freedom of Information Act 2000, one of the databases contained personal contact details of suppliers including names, addresses, phone numbers and email addresses, along with specific details of the council’s almost £83m spend over three years.
Lawrence Jones, CEO at UKFast said: “Our security division regularly monitors the level of cyber risk across the internet to make sure our clients are protected from every type of threat. The public sector should set an example on data protection so to discover such a lapse – where personal details and sensitive data is openly available – from a local government body is very concerning.”
UKFast’s security experts warned that the data discovery not only damages the council’s reputation but also puts the suppliers involved at risk of a type of cyber attack called spear-phishing. In a spear-phishing attack, criminals use personal information gleaned through data leaks or social media to impersonate a trusted source (the council or the supplier) to send malware-infected emails or requests for further information such as bank details or payments.
Jones continued: “We discovered several databases, not only from councils but from businesses as well, all filled with information that would allow cybercriminals to impersonate suppliers to steal money or personal information through even the simplest of attacks.
“It would not take any specialist technical skill to be able to find this information through a search engine and then put together a convincing email or phone call impersonating the suppliers to steal from the council or business.”
UKFast’s technical director Neil Lathwood offered advice to businesses and the public sector on how to ensure their data is not accessible via a Google search. He said: “Google is extremely good at indexing so any files that you save on a web server may not be linked to from the website but will still be searchable by Google, so even the least technically-skilled criminals can find your personal details.
“It is very basic cyber security to ensure that personal data, such as that discovered by our security team, is not stored unencrypted on your web server or on an unsecured intranet network.”