Hackney Council in personal data breach

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://hackneycitizen.co.uk/2013/02/25/hackney-council-personal-data-breach-licencing-applications/

Papers published on Hackney Council’s website have inadvertently
revealed the personal data of a number of residents, an investigation
by the Hackney Citizen has found.

Among the personal details discovered were the names, addresses, email
addresses and mobile phone numbers of more than thirty residents who
had been in touch with the council recently about licensing decisions.

The data featured in documents which had been partially redacted, but
redaction had not always been done correctly, allowing personal
details to be accessed by anyone who viewed the papers.

The Hackney Citizen analysed council meeting papers published since
the start of 2013 and found seven documents which contained personal
data. Details in the documents included:

the names of 35 residents who had expressed views on license
applications, in many cases with the resident’s home addresses;

ten email addresses;

four mobile phone numbers.

Further personal data could have been available in documents published
prior to January 2013.

Among the personal details contained in the papers were the names,
addresses and signatures of 20 residents who signed a petition against
Future Cinema performances in the former Cardinal Pole School on
Victoria Park Road.

In another case, the Hackney Citizen was able to view the name, home
address, mobile phone number, email address, web address, and Twitter
handle of one resident who had commented on a local licensing
decision.

Niall McCormack described himself as “surprised” to find his details
available in the meeting papers. “It is vital that Hackney Council
take all reasonable steps and precautions to protect the data of the
general public”, he said.

The personal data was all contained in supporting documents for
meetings of the council’s licensing sub-committees, where decisions
are made on license applications and amendments.

The documents had been published on the council website and contained
copies of letters, emails and petitions received by the council either
in favour of, or objecting to, license applications being considered.

While attempts had been made to redact the personal data, with black
marks placed over the personal data, this had not been done properly,
meaning the underlying data could be accessed by anyone viewing the
documents.

Amongst the council papers in which personal details were found were
documents relating to an application for a premises licence by Dalston
Organic, an application to review Efes Snooker Club’s licence, and an
application to vary the licence of the Hoxton White Horse.

The council was alerted to the data breach prior to publication of
this article in order to allow them to take down the documents
concerned.

A Hackney Council spokesperson said: “The Council has removed the
reports from the website and will look into the matter to determine
whether any confidential information contained therein can be accessed
by the public or not.”

The Hackney Citizen also passed evidence to the Information
Commissioner’s Office (ICO), the body responsible for enforcing data
protection law in the UK.

A spokesperson for the ICO said: “We will be making enquiries into the
circumstances of this alleged breach of the Data Protection Act before
deciding what action, if any, needs to be taken.”

In a number of cases, copying the content of the documents into word
processing software revealed names and contact details. In other
cases, anyone with PDF-editing software would have been able to open
the council documents and simply remove the redacting marks which the
council had placed over personal data.

Hackney Council has previously threatened the Hackney Citizen with an
injunction following the publication of a voice recording which, the
council alleged, was in breach of the Data Protection Act 1998.

Related:

The improper and disgraceful conduct of Hackney Council

Council threatens Hackney Citizen with legal action

Hackney Council misinforms voters: “No Conservative candidate for Mayor”
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.