Sunderland City Council

Sunderland City Council is the local authority responsible for providing public services and governance to the City of Sunderland in the United Kingdom. Its core functions encompass a wide range of municipal duties including education, social services, waste management, urban planning, and the maintenance of public infrastructure such as libraries and leisure facilities. The council serves a defined resident population within its geographic jurisdiction, operating as a key administrative body for the region. A notable aspect of its public-facing services is its library system, which maintains a customer database of approximately 145,000 user accounts, indicating a significant local footprint and direct engagement with a substantial portion of the community it serves. This scale of service delivery involves handling considerable volumes of personal data, positioning the council as a custodian of sensitive resident information.

The council's operational history includes two documented significant cyber incidents that have shaped its security posture. In November 2018, it endured a complex, week-long attack characterised by a surge of 400,000 spam emails, phishing and spoofing attempts, and at least one distributed denial-of-service (DDoS) attack, compounded by a password spray attack that locked user accounts. An internal review following this incident identified pre-existing deficiencies in the council's technology standards and compliance, which had been rated as inadequate in a prior audit. In response, the council outlined a remediation plan focused on enhancing security measures, including a mandated migration of systems to Windows 10 and the enforcement of default password changes. A subsequent breach in May 2019 targeted the library services database, resulting in the unauthorised access of personal information—including names, dates of birth, and telephone numbers—for 45 compromised accounts out of the total 145,000. These sequential events underscore a period of heightened vulnerability and a reactive, though planned, evolution in the council's cybersecurity framework, moving from a state of recognised inadequacy toward a more proactive, albeit still acknowledging the impossibility of absolute protection, security stance.