Details of 400 vulnerable citizens were sent outside the council’s network
Essex County Council has admitted to a serious data breach which has potentially left 400 people exposed to identity fraud.
The leaked details include names, addresses and financial information of around 400 vulnerable users of the council’s services.
The council claims the breach was caused by an employee in the Adults Health and Community Wellbeing department sending the information to a computer outside the council’s network. Essex County Council has not revealed exactly how the data breach occurred beyond telling CBR in a statement that it was, "sent electronically to a member of staff’s home computer."
According to local news website This Is Total Essex, the council worker has subsequently been dismissed.
Essex Police and the ICO have been informed, the report added.
In a statement the council confirmed a breach but played down fears the information could lead to identity theft.
"While we are unable to give specific details we can confirm that the investigation centres on an ex-employee who breached our information security policy. Whilst the ex-employee had signed a declaration stating they had deleted the information and not shared it with anyone, it is our duty to inform service users that their information has been compromised," the statement said.
"We do not believe there is malicious intent behind this incorrect use of data. The information involved is such that (the risk of) identity theft is minimal," the council added.
The council added that it provides mandatory training to all staff in data governance and information handling and has "strict" information security policies and procedures in place.
"With all the security procedures we are supposed to have now and all the millions the county council has spent on the best IT, it beggars belief that something like this can have happened," said Councillor Mike Mackrory, Liberal Democrat opposition leader at the council.
"I am frankly staggered. We need to get to the bottom of it quickly and ensure our procedures are even tighter," he said.
The Information Commissioner’s Office (ICO) is likely to look into the incident. In a statement it told CBR: "We have recently been made aware of a possible data breach which may involve Essex County Council. We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act (DPA) before deciding what action, if any, needs to be taken."
It was recently revealed that the data watchdog had handed out 68 warnings over the last year, up from just 46 the previous year.
The ICO has also increased the frequency and amount of fines it has handed out. During the specified time period it handed out 15 fines totalling £1.8m, well up on the six fines totalling £431,000 handed out the previous year, recent figures revealed.