UK: Contractor breach affected a number of councils’ employees
A leak previously noted on this blog may have affected a number of councils’ employees. Chris Murphy reports that Medway Council is the latest council to reveal its employees’ data have been exposed on the Internet.
Council staff and bosses have been left fuming after sensitive personal information was leaked online – sparking a major police investigation.
Medway Council had employed a company called Diagnostic Health Solutions to monitor staff sickness and absenteeism. But hundreds of staff records were leaked and ended up being uploaded onto a website.
They have now been removed, the council has terminated the company’s contract and now City of London police officers are investigating.
The council confirmed that names, dates of birth and employment details appeared on a website before the alarm was raised.
It is thought some 750 people were affected who worked in the regeneration, community and culture directorate.
In an email to staff explaining the situation, the council said the system was launched last August and “seemed to be working well”.
It then adds: “Over the last few days we have become aware that some data held by DHS has found its way on to a new website which has since been closed down.
Read more on Kent News.
So what happened here? Were the data hacked from DHS and then dumped online? It’s not clear from any coverage I’ve seen on the case, but Murphy quotes a DHS spokesperson as saying, “This wasn’t an employee and wasn’t an ex-employee, but everything has been handed to the City of London police who are investigating. We are keeping our clients up to date with what’s happening.”
Jenni Horn of Kent Online reports:
It is thought the leak came to light after an employee at Basildon council, which also had a contract with DHS, spotted the data while using Google to search their own name.
The breach of Basildon Council‘s employee data was reported previously without naming DHS.
Employees of Thurrock Council have also been affected by the breach. Last Friday, The Thurrock Gazette reported:
The personal details of more than 2,800 workers at Thurrock and Basildon councils were splashed over the internet.
Both authorities are now investigating the “serious security breach”, which saw the names, dates of birth, telephone numbers, sickness history and even payroll numbers of employees appear online.[…]
It is thought 1,600 employees at Thurrock Council were hit by the gaffe.
So that’s three councils so far that I’m aware of. How many more are there? And how did this breach occur? Expect updates to this incident. If anyone has additional details or information, please use the Comments sections below or e-mail me.