Data breach lessons

Written by Colin Marrs on 13 July 2015 in Features

Last week, hackers stole 13,134 email addresses from City of Edinburgh Council - professor Bill Buchanan of Edinburgh Napier University offers his verdict.

At a first look, the hack involving City of Edinburgh Council reported earlier this week doesn't look too serious as there does not seem to be any passwords involved. All that has been revealed is email addresses, which can often be gained from other sources.

The only threat would be in spear phishing of users with council-related emails, but the users involved probably will be wary of any emails sent from the council anyway.

For councils, possibly they should learn from others with larger budgets. As with the US hack on OPM (Office of Personnel Management), the focus is increasingly on detecting the first signs of a hack and try and overcome it. Like it or not, this tends to be a human activity, running 24x7, and using advanced logging methods, which councils will struggle to afford.

Really, the public sector are struggling to keep up with the pace of increasing the integration of IT but in also properly supporting it. If the US OPM can't do it properly, the UK public sector will especially struggle.

For this amazing city, we have so many companies involved in computer security and we are building an infrastructure of Cyber Age companies. There thus needs to be more ways to share best practice to support all stakeholders and we hope to help with the development of The Cyber Academy, which is a place where everyone can share information.

No one domain can hold all the knowledge in this new information age and we must all work together to share best practice. The public sector needs it as much as any, especially in supporting the drive to get services online.

I had a case just the other day where I could change the address on my driving licence online, but if I want to change the address on my vehicle I need to fill in a form (and sign it - tut!) and send it back.

The UK and Scottish governments have targets of allowing citizens to get access to their health records by 2020, so the public sector will have to learn how to set up detection systems in order to stop large-scale data breaches, and hopefully share resources and intelligence.

This article is based on Edinburgh Breach - Can The Public Sector Keep up with Computer Security?, an article by Professor Bill Buchanan of Edinburgh Napier University.​

Share this page



Please login to post a comment or register for a free account.

Related Articles

‘Treated as suspects’ – ICO calls for end to excessive demands for personal data of rape victims
31 May 2022

Information commissioner tells forces to immediately stop gathering info in a manner he claims is putting a major dent in conviction rates

EXCL: Wall of silence surrounds plan for nationwide collection of citizens’ internet records
26 May 2022

Online notice reveals controversial trials are to be expanded into a national service – about which government, law enforcement, watchdogs and all the UK’s major ISPs declined to answer questions...

Government urged to commit to devolution to drive innovation and levelling-up
29 June 2022

Think tank report identifies benefits of city mayors, but finds many local officials are frustrated with current interactions with Whitehall

Government seeks ‘better outcomes’ by linking data on homelessness, crime and addiction
27 June 2022

MoJ-led series of pilot programmes aim to better connect information to improve outcomes for those with complex needs