Home   News   Article

Moray Council refers itself to watchdog over apparent data breach





Dozens of people have had their personal details published online by council staff during a two-year spate of apparent data leaks.

Moray Council has reported itself to the data protection watchdog after the authority’s staff posted information about customers onto a public website, accessible through a Google search, on more than 30 occasions.

Moray Council has reported itself over the data breach...Picture: Moray Council/HNM
Moray Council has reported itself over the data breach...Picture: Moray Council/HNM

Archived copies of the apparent breaches, collated over the last six months, suggest that removal of the posts only started after we contacted victims.

This included an NHS worker who had more of her personal data leaked than any other victim and was “appalled” to hear of the incident.

Over two years, posts on Moray Council’s Interchange website included names, parking fine numbers, addresses, vehicle registration numbers, phone numbers, email addresses and details of bus journeys.

In one case seen and documented by The Northern Scot, details of a resident’s benefits history and home address appear to have been published - while another post apparently revealed a person’s medical details.

The posts, made between November 3, 2022 and November 1, 2024, appear to break Moray Council’s own rules on Data Protection and information-sharing.

"We take it extremely seriously..."

Moray Council said it “apologises unreservedly” to all individuals involved, and admitted that it had fallen short of the standards for local councils.

A spokesperson confirmed that the council had referred itself to the Information Commissioner’s Office, which investigates data breaches in the UK, within 72 hours of being informed in line with data protection laws.

“This should not have happened and we’re investigating how the incident occurred,” the spokesperson said.

“This is not what is expected of a local authority, we take it extremely seriously and have put mitigations in place to ensure it doesn’t happen again.

“We reported the incident to the Information Commissioner’s Office within the statutory 72 hours and will work with them to provide any further background information required.”

“And they are supposed to be people you trust.”

Most of the apparent breaches came after members of the public contacted Moray Council about parking fines.

The council hits those who break parking rules with an £80 fine, but this is reduced to £60 if paid within 10 working days.

However, when some members of the public contacted the council and received more time to pay at the lower rate, their details appeared on the website.

The information posted online was verified by several of those impacted by the breach - who argued they had not given permission for their data to be published.

An NHS worker, who was among the worst affected by the breach, had her name, fine number, vehicle registration, address, phone number, and email address made public.

The breach occurred on Moray Council’s Interchange website…Picture: Daniel Forsyth
The breach occurred on Moray Council’s Interchange website…Picture: Daniel Forsyth

Upon hearing that her information had been leaked, she said: “God’s sake - that is quite scary.

“That is ridiculous, isn’t it?

“And they are supposed to be people you trust.”

She said she felt that the council had penalised her for contacting them after making a “genuine mistake”, while those who avoided paying would not have been named and shamed.

“I’m just appalled that something like this has come out,” she added.

“I tried to resolve it.”

“It was a genuine mistake, and I tried to resolve it.”

The parking fine posts were apparently intended as updates on specific fines, to be shared between customer-facing staff.

However - despite other parts of the website being locked behind strict security controls - anyone can access the Customer Services Staff Information Hub.

In total, 31 posts contained personal details of those requesting extra time to pay their parking fines, with 14 containing a name, fine number and vehicle registration number - information that would reveal the registered owner.

According to an online post from the DVLA, vehicle registration numbers are among details commonly sought by scammers.

Data breaches can put people at risk of scams...Picture: Creative Commons/Pexels/Yan Krukau
Data breaches can put people at risk of scams...Picture: Creative Commons/Pexels/Yan Krukau

Addresses of those who received fines were included in 11 posts while contact details, including emails and phone numbers, were included in five posts.

One victim confirmed that her name, parking fine number, and a previous home address had been posted online.

The woman, who contacted Moray Council to appeal a parking fine, was “shocked” to hear her details had been published.

“It is quite shocking really, especially in this day and age,” she added.

“Oh gosh - I don’t really know what to say.

Some sections of Moray Council's Interchange website are accessible by members of the public.
Some sections of Moray Council's Interchange website are accessible by members of the public.

“I’m more in shock than anything else.”

The victim added that she was confused over how the council knew about the address linked to her name in the post.

Her fine came around six months after she moved out of that property, she claimed, and denied providing the address to council staff.

The woman, who said she was part of an “ex-forces family”, worried there may be security implications for the address having appeared online.

Having her information published confirmed her wider opinions of Moray Council.

“Make them look hard at what they are doing”

However, she also argued that the incident could lead the council to improve how it works.

"I think this is probably going to make them look hard at what they are doing,” she said.

Further breaches - ‘Special category’ data included?

Further details were also posted to the website, which may have breached data protection rules.

A post from October 17 apparently included the name and address of a local resident and revealed that they are under review by the benefits team.

Five posts about the M.Connect service appeared to reveal personal details of service users.

One post included the name, journey details, and medical information about a passenger, while another contained a separate person’s name, journey details, and address.

A further three posts revealed the name and journey details of four more residents.

Details of 13 addresses that requested uplifts of bulky waste were also released, over five posts between December 14, 2022 and June 17, 2024.

Moray Council admitted falling short of standards over the breach.
Moray Council admitted falling short of standards over the breach.

What are Moray Council’s own rules?

Moray Council provides information about data protection rules on its main, customer-facing website.

Members of the public have “rights to know how personal information can be collected, used and stored,” according to the site.

Personal data is defined as “any information that can be used to identify you as a Data Subject, such as your name and address”.

“It’s information that relates to you, and from which you can be identified directly; or which could be used in combination with other information to identify you,” the page adds.

The site also pledges: “Moray Council will strive for a positive and proactive approach to the collection and management of Personal Data.

“…use and share information appropriately”

And it vows to “ensure we protect the information we collect” and “use and share information appropriately”.

The website also states that each time the council collects information, there should be a privacy notice explaining why it was collected and how it will be used and shared.

Moray Council’s website contains 53 privacy notices, but none of these cover how parking fine data is managed.

However, the council’s on-demand M.Connect bus service does have a privacy notice.

It states that personal information will be shared with the company which runs the booking system and with “authorised officers”.

It also confirms that the council can share information with other departments and third parties, to prevent fraud.

No circumstances are listed where customers’ personal information can be posted on a public website.

However, the posts relating to the M.Connect service contained customer details - apparently breaching the rules.

The on-demand service will cover the whole of Moray.
The on-demand service will cover the whole of Moray.

Furthermore, the privacy statement clarifies that a customer’s use of a wheelchair would be considered “special category” data, and is therefore subject to tougher rules.

One post published on the Interchange website revealed a passenger’s name and referred to their mobility needs.

When can Moray Council share data?

Under the heading “Who we share your information with”, the council website again fails to mention any circumstances where personal information can legitimately be posted on a public website.

It sets out several circumstances in which information may be shared, and the legitimate recipients.

“…measures in place…”

This includes several cases in which data can be shared between council staff to help services run effectively.

However, information can only be shared with third parties if they are delivering a service, auditing public funds, investigating potential fraud or criminality, or during an emergency situation.

The rules add: “When we share your personal information with third parties we only do so when legally required, or when permissible under Data Protection legislation.

The council has “measures in place to ensure your information is protected”, it claims.

“Whenever personal information is shared with third parties we will only provide the minimum information required.”

“…respecting the right to confidentiality…”

Finally, under the heading “Are records confidential?”, the council confirms its duty of “respecting the right to confidentiality”.

It states: “The Council’s employees have a duty of care when providing services.

“This includes respecting the right to confidentiality and ensuring that information about you is only processed for the purposes of the service being provided.”


Do you want to respond to this article? If so, click here to submit your thoughts and they may be published in print.



This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies - Learn More