Cyber Incident Victim: City of Edinburgh Council

On or around June 27, 2015, malicious actors executed a cyber attack targeting the City of Edinburgh Council’s website service provider, a UK-based data centre located in England. The breach resulted in unauthorized access to the council’s database, specifically compromising over 13,000 email addresses. No other personal information or sensitive data was accessed during the incident. The council confirmed the attack occurred through their externally hosted website infrastructure but emphasized that no internal council services or operational systems were disrupted. Officials publicly disclosed the breach on July 7, 2015, ten days after the initial compromise, warning affected individuals about potential increases in spam or phishing emails leveraging the stolen email addresses. The attack’s impact was confined to the theft of contact information, with no evidence of further system infiltration or secondary data exfiltration reported.

The City of Edinburgh Council initiated a coordinated response by immediately notifying the UK Information Commissioner’s Office (ICO) and the UK Government’s Computer Emergency Response Team (CERT-UK) following the breach discovery. Affected individuals received direct communications from the council outlining the incident’s scope and guidance on mitigating phishing risks. Web service providers implemented unspecified additional security measures to prevent recurrence, though technical details of these controls were not disclosed publicly. Council representatives emphasized the swift containment of the attack and reiterated that website security remained a critical priority, with ongoing collaboration between the council and its third-party providers to address attack risks. No operational disruptions to education services or other council functions were reported, and the incident concluded without further escalation.