Cyber Incident Victim: Cambridgeshire County Council

On or around May 31, 2023, Cambridgeshire County Council publicly acknowledged it had fallen victim to a significant data leak stemming from a global cyber attack targeting the MOVEit file transfer application. The incident involved the unauthorized access and exfiltration of a number of HR files containing personal data used for the council’s old e-recruitment system. The council clarified that this specific process was managed on its behalf by a shared services lead authority, and the data was breached as a direct consequence of the wider MOVEit cyber-attack, which affected numerous other firms, businesses, and companies across the UK. The compromised data consisted of hundreds of sensitive documents and accounts. The types of details typically targeted in such attacks, and by implication present in the leaked files, included national insurance numbers and, in some cases, bank details.

Upon discovery of the breach, Cambridgeshire County Council acted immediately to initiate an investigation into the attack and to ensure its cyber defences were strengthened. The council worked closely with the lead authority responsible for managing the compromised system. As a primary response action, the council undertook the task of contacting every individual who may have been affected by the data exposure to inform them of the incident. Official notifications were also made to the UK’s national regulatory and security bodies; the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) were both notified of the breach in accordance with standard procedures. Furthermore, the council engaged the services of data specialists Experian to provide additional support for those individuals whose data was compromised, offering them guidance and help to mitigate potential impacts.

The council’s public statement emphasized that there were no reports of ransom demands being sought from the council or of money being stolen as a direct result of the attack. The focus of the response was on transparency, supporting affected individuals, and reinforcing security postures. The council also took the opportunity to direct the public to the National Cyber Security Centre’s website for general advice and information on steps individuals can take to protect themselves from the impact of data breaches, though this was presented as a general reminder rather than a specific instruction related to this incident.

This cybersecurity incident occurred shortly after a separate, unrelated data exposure involving the council. On a previous occasion, Cambridgeshire County Council had apologised after 300 email addresses were inadvertently shared. This occurred when an email regarding the closure of Mill Road Bridge was recalled by a sender at the council, an action which had the unintended effect of revealing all 300 recipient email addresses to everyone on the distribution list. The council described this earlier event as a human error and confirmed it had been addressed internally with the team involved. A spokesperson stated that the error had been referred to the Information Commissioner and that the council would be apologising directly to those affected. This prior incident, while a breach of data privacy, was explicitly stated to be a result of internal mistake and was not connected to the subsequent malicious MOVEit cyber attack. The council’s disclosure of both events illustrates a period of heightened attention to data security issues within the organization, though the causes and scales of the two incidents were fundamentally different.