Ticket Viewer Failure Costs Council £70,000
The Information Commissioner’s Office has issued a £70,000 fine to the London borough of Islington for failing to adequately secure their ticket viewing application which resulted in 89,000 people being at risk of having their information exposed.
After an investigation, it was uncovered that there had been 119 documents accessed 235 times without authorisation, affecting 71 people. The unauthorised access originated from 36 unique IP addresses.
“Local authorities handle lots of personal information, much of which is sensitive. If that information isn’t kept secure it can have distressing consequences for all those involved. It’s therefore vital that all council staff take data protection seriously.”
The issue was discovered by a member of the public, who informed the council that by changing the URL, it was possible to access system folders containing personal data.
The commissioner’s office claimed the system should have been thoroughly tested by Islington Council before it went live and then on a regular basis, as per best practice.
Under the General Data Protection Regulations which are coming into force across Europe in May 2018, the fines imposed by the ICO could have been significantly larger – particularly because this breach contained highly sensitive information; that being personal, medical information in relation to appeals.
For a breach of this nature, the fines that can be imposed after May 2018 could be 4% of global turnover or €20M, whichever is higher. The current maximum fine is limited to £500,000.
Get in touch with us today to get help developing your information security policies and implementing the changes required by your organisation for the upcoming GDPR changes.