IMPROVEMENTS have been made to the way documents are published on Ceredigion County Council’s website following a data breach caused by “human error.”
Ninety-eight exempt documents – some containing personal and sensitive information – were discovered on its website after the council was alerted by the Cambrian News last summer.
Members of the audit committee received a report from corporate lead officer customer contact Arwyn Morris outlining the cause of the breach and what had been done to stop it happening again.
Mr Morris said on Wednesday (February 6) that it was “human error” that caused the breach and now there was a “two-step authentication” process to publication, with two people checking any document was not exempt.
Major search engine companies were asked to “flush the cache” and a test was carried out to check the documents did not appear, the committee were told.
Eight documents were found to contain detailed health information Mr Morris said, and were assessed as higher risk.
Four of the people had died since the information was recorded in 2004 to 2006 but the other four were written to with an explanation and apology.
The other information was considered lower risk, such as names and addresses, company names and transactions for the sale of land.
Cllr Hag Harries said that data such as this was not always low risk.
“It’s not readily available if someone is fleeing violence or something like that, it could seem trivial or it could mean loss of life for somebody,” he said.
A new electronic management system was introduced in 2006 and all documents stored on it but some exempt documents were filed incorrectly the committee were told.
These were then published when the website was redesigned in 2013, this is when the documents were available to the public.
Cllr Gareth Davies said that the corporate risk register should include steps taken to mitigate risk to provide assurances that incidents such as this breach are acknowledged by the department.
The matter had not been reflected in the register because it was due to human error not a systems issues, Mr Morris said but more information will be included in future.
Referring to a separate data breach five years ago, which related to a system issue, Cllr Davies said: “We were given assurance the this would not happen again, I accept human error but it has happened. When we are given assurance that something has been dealt with and data information is secure you expect it to be secure.”
“I can’t give 100 per cent assurance there could be another bug in the systems, there could be another human error but I’m confident as we can be that our systems are secure and the personal and sensitive information is held in a safe manner,” said Mr Morris.
A report on the breach from the Information Commissioner’s Office is due to be made on the incident.
James Davies, who reported the 2007 breach, said that the council was “playing down” the recent incident.
“It was pointed out by Cllr Hag Harries that even just names and addresses can put people at serious risk.
“There’s been an awful lot of information over the years, there were 2,500 files in the other incident and the issues still haven’t been addressed,” he told the local democracy reporting service.
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here