Home   News   Article

Moray Council data breach sees Information Commissioner’s Office take no further action after ‘words of advice’





A watchdog has given “words of advice” to a council which posted customers’ personal information online during a two-year spate of data breaches.

However, the Information Commissioner’s Office decided “not to take further action at this time” over Moray Council posting people’s details onto a public website - accessible through a Google search - more than 30 times.

No further action will be taken over the data breaches.
No further action will be taken over the data breaches.

Archived copies of offending posts suggest their removal only began after we began to contact victims.

A Moray Council spokesperson said similar breaches “cannot reoccur” after tougher security measures were adopted.

“Upon being made aware of the issue, we took immediate action, adhering to all necessary protocols, including self-referring to the Information Commissioner’s Office and reaching out to those affected,” he added.

“Following a review, Customer Services has introduced newly strengthened security protocols which ensure that a similar breach cannot reoccur.

“The protocols will be subject to frequent review.”

One woman said she was “appalled” to find that her name, parking fine number, vehicle registration number, address, phone number and email address had been published on the council’s Interchange website.

In total, 31 posts revealed the personal information of people who had requested extra time to pay parking fines at the discounted £60 rate.

Of these, 14 contained a name, fine number and vehicle registration number - information that would reveal the registered owner.

According to an online post from the DVLA, vehicle registration numbers are among details commonly sought by scammers.

Home addresses of those who received fines were included in 11 posts, while contact details - including emails and phone numbers - featured in five posts.

Further details were also posted to the website, which may have representated a more serious breach of data protection laws.

A post from October 17 apparently included the name and address of a local resident - but also revealed that they were under review by the benefits team.

Five posts about the M.Connect service appeared to reveal personal details of service users.

One post included the name, journey details, and medical information about a passenger, while another contained a separate person’s name, journey details, and address.

Details of a person’s status as a benefit claimant, and their medical history, can be considered “special category” data which is subject to tougher data protection rules.

A Moray Council spokesperson said: “Upon being made aware of the issue, we took immediate action, adhering to all necessary protocols, including self-referring to the Information Commissioner’s Office and reaching out to those affected.

“Following a review, customer services has introduced newly strengthened security protocols which ensure that a similar breach cannot reoccur.

“The protocols will be subject to frequent review.”

A spokesperson for the Information Commissioner’s Office said: “We can confirm Moray Council has made the ICO aware of a data breach incident.

“After considering the report, we have provided words of advice to the council and do not intend to take further action at this time.”


Do you want to respond to this article? If so, click here to submit your thoughts and they may be published in print.



This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies - Learn More