Cyber Incident Victim: Flintshire Council
Date:
Aug 2020
Location:
United Kingdom
Summary
A local authority's website was compromised, resulting in unauthorized access to personal data from individuals who submitted comments on planning matters within its Local Development Plan. The exposed information, initially redacted in publicly posted summaries, was deliberately unprotected through targeted actions against the council's systems. Officials detected the breach and removed the affected documents within hours of their publication, notifying impacted parties and confirming a limited number of records were involved. The council acknowledged its redaction software proved insufficient and implemented more secure alternatives for future document releases. Evidence was provided to the Information Commissioner's Office regarding potential illegal republication of the compromised data by third parties.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around August 12, 2020, Flintshire Council in Wales experienced a data breach involving its website. The incident occurred when personal information of individuals who had submitted comments on the council's Local Development Plan (LDP) – a document outlining proposals for housing and development – was compromised. Although summaries of public comments were published on the website with personal details redacted, an unauthorized actor deliberately circumvented the redaction protections. Council officials stated the breach was identified within three hours of the documents being published online, after which the affected materials were promptly removed from public access. The compromised data involved a "small number" of records containing personal information that had been submitted during the LDP consultation process.
Flintshire Council confirmed it directly notified individuals impacted by the breach. The authority also disclosed that personal details obtained during the incident had been subsequently republished online by third parties, an act the council deemed illegal and reported to the UK Information Commissioner's Office (ICO) with supporting evidence. Gareth Owens, the council's chief officer for governance, publicly apologized for the incident and attributed the breach to inadequate redaction software. In response, the council sourced and implemented more robust redaction software to securely protect personal information before republishing the LDP documents. The breach exposed vulnerabilities in the council's data handling processes for public consultations but did not disrupt broader council services or operations.