TONBRIDGE & Malling Borough Council (TMBC) has dismissed the findings of a report into cyber security after it was named as the local authority that has suffered by far the most assaults on its computer system in the country.
The civil liberties and privacy campaign group Big Brother Watch identified TMBC as having suffered almost three times as many ‘cyber incidents’ between 2013-17 as the next worst – 62 compared to Herefordshire’s 22.
Cyber Attacks in Local Authorities also noted that the council had suffered two ‘total cyber security incidents that resulted in loss or breach of data’.
‘A malicious attempt to damage, disrupt or gain unauthorised access to computer systems’
The data was collected following a Freedom of Information request by Big Brother Watch, who warn of a growing risk to the public’s privacy as more and more details of their lives are stored online by councils.
The group says: “Local authorities are holding ever-expanding troves of personal information about citizens. Under the banner of data-driven government, they are seeking to actively gather more information about people.
“This accumulation of big data evokes not only concerns about ethics, rights and violations of privacy, but also about how equipped councils are to protect citizens’ sensitive data.”
It found that local authorities have experienced more than 98 million cyber attacks over five years, and at least one in four suffered an ‘incident – that is, an actual security breach’.
The National Cyber Security Centre, which monitors all reported breaches, defines a cyber attack as a ‘malicious attempt to damage, disrupt or gain unauthorised access to computer systems’, while a cyber incident is a ‘breach of the security rules’.
But TMBC has claimed that they have been unfairly singled out because of a misunderstanding about the definition of the terms.
A spokesperson said: “It’s just a matter of terminology. The research used the terms ‘cyber attack’ and ‘cyber incident’ to differentiate between different severities of events.
“The council record all cyber security events as ‘incidents’ in line with guidance from the National Cyber Security Centre.” It added that none of them had been reported to the police.
TMBC also denied that the two ‘breaches’ led to any loss of data. “During the reported period there were two ransomware attacks which resulted in the corruption of data.
“These were detected early on and stopped, which did not require any downtime of council systems. No ransom was paid, and no data leaked outside of the council. The other 60 events were detected and stopped before any damage was done.”
Darren Everden, the council’s IT Manager insisted that staff were trained to cope with any cyber security issues. He said: “The council takes cyber security very seriously and uses robust software and procedures to monitor and report on all attacks made, whether successful or unsuccessful.
“IT staff regularly receive training to remain alert to cyber security, council staff receive cyber security awareness e-learning courses, and we are presently participating in a number of projects as part of the National Cyber Security Programme.”
Big Brother Watch responded by saying: “Since we provided a very clear definition of these terms, we would have expected Tonbridge & Malling Borough Council to respond accordingly.
“In fact, they have used these exact terms in their response to us. It is possible that they don’t differentiate these terms; however this emphasises the point we make about issues in properly understanding cyber security terminologies.”
More than 100 other councils, including Tunbridge Wells Borough Council, reported no attacks or incidents. In contrast, Essex County Council said it had been targeted by 731,910 attacks but no incidents, while Gateshead said it suffered 65,000 attacks each month.
‘The council has been able to develop the skills and tools necessary to address the threat of cyber attack’
Big Brother Watch said of the anomaly: “Curiously, 126 councils said that they did not experience any cyber attacks during the specified period. This seems highly unlikely.
“These 126 councils did not report superior training – in fact, 28 of them (22 per cent) reported not providing any cyber security training for staff at all.
“Furthermore, 15 (12 per cent) of the councils that reported no cyber attacks also said they experienced a cyber security incident, further demonstrating a poor understanding of terminologies.”
Tunbridge Wells shares its IT service with Maidstone and Swale borough councils. Mid Kent Services Director Stephen McGinnes said: “Tunbridge Wells Borough Council takes data security very seriously, recognising the harm that a data breach can have on residents and the operation of local services.
“Through the partnership arrangement that the council has entered into with Maidstone and Swale the council has been able to develop the skills and tools necessary to address the threat of cyber attack, which it continues to review and refine as attacks become even more sophisticated.”
