South Staffordshire Council has been informed of a security issue in which some South Staffordshire customer data, along with data from other local authorities, was found on an unsecured data storage area provided and controlled by Capita - a third party supplier used to host data.
Following the conclusion of the company's investigation into the potential data breach, it has confirmed the information did not contain bank details.
The South Staffordshire data files include details of people’s council tax and benefits account references, name, addresses and the name of any benefits received. This is historic data and relates to the 2019/20 and 2020/21 financial years.
This data has now been made secure.
Capita has completed its investigations but has been unable to determine if any unauthorised access to the data has occurred.
Having monitored internet activity, Capita has informed South Staffordshire Council that there is currently no evidence of any malicious use of this data.
South Staffordshire Council has reported this incident to the Information Commissioner’s Office (the UK regulator for data protection) and the district council will implement any recommendations subsequently made by the regulator.
A spokesperson for South Staffordshire Council said: "We are extremely disappointed that Capita failed to maintain the security standards that we expect of our suppliers.
"We will continue to work with them to ensure that in future data entrusted to them is held securely."
Frequently asked questions
1. How did this data breach happen?
Capita provides software services to South Staffordshire Council and other local authorities.
Council tax customer information held by Capita was stored in an unsecure hosting service that was initially set up to hold release notes and user guides for its software.
We have become aware that since 2019, personal customer data was also stored in this unsecure location by Capita.
2. How did it come to light?
A security researcher identified the issue at the end of April 2023 when they contacted Capita and explained what they had identified in a report in a technical journal.
South Staffordshire Council was first made aware of the incident on May 6th, 2023. The council immediately liaised with Capita which wrote to us on May 12th, 2023, to explain the company had secured the data as soon as it had been brought to its attention and was investigating.
South Staffordshire Council is extremely disappointed Capita took so long to report the issue to us, which they are required to do as our data processor. This council, alongside the other affected local authorities, together with support from the Local Government Association, have expressed this strongly to them.
3. What action has South Staffordshire Council taken?
We have asked Capita a series of questions to understand what happened, particularly to understand what data has been affected and whether it has been inappropriately accessed.
As soon as Capita was notified of the unsecure storage area, the company removed any access to this hosting site ensuring that the personal data was no longer accessible. Capita investigated how the incident occurred and established that this was an isolated incident and does not affect other data held by Capita.
That work has now reached the point where all the data affected has been identified and the investigation to determine whether any of the data had been accessed has been concluded.
4. Has the council’s Data Protection Officer notified the Information Commissioner’s Office (ICO)?
South Staffordshire Council notified the ICO on May 13th and has remained in regular contact with the regulator throughout its investigations.
5. Has personal information been involved?
While personal data was held in an unsecure location, we have no evidence that this information was accessed maliciously.
For unauthorised persons to access the hosting service, they would have needed the exact URL to the hosting service.
This was not searchable via online search engines.
Analysis has taken place on IP addresses which accessed the hosting service during the time that the information was available, and we are unable to identify whether or not this information was accessed by unauthorised persons.
6. Exactly what has been compromised? Are bank account details involved?
Personal data related to the end of year council tax process for 2019 and 2020 only has been compromised.
No bank account information was included in the compromised data.
7. What types of personal data have been affected?
For council tax payers
The data included details of people who were liable for council tax in South Staffordshire during the relevant financial years. Specifically this data included:
a. The full name and title of the first person detailed on the council tax bill. If more than one person was liable for the council tax it only included the name of the first person.
b. The council tax account reference number
c. The property reference number
d. The amount of council tax payable
People in receipt of housing benefit and/or council tax support
The data included details of people who had received housing benefit and/or council tax support in the relevant financial years. Specifically this data included:
a. The full name and title of the person claiming housing benefit
b. Address of the person claiming housing benefit/council tax support
c. Housing Benefit Reference number
d. Whether the housing benefit claim was live or cancelled at the time
e. The dates for which housing benefit was awarded
f. Details of whether the household was in receipt of benefits including but not limited to disability benefits, child benefit, income support, tax credits, universal credit and pension credit
g. Details of any income from earnings or other sources including savings income and occupational pensions included in the housing benefit claim – this includes the amount of income but does not include the source of the income, for example the name of an employer
h. The amount of rent payable by the household
i. Confirmation of whether any children are part of the household but not including the name or age of the children
Business rates
The data included details of people and organisations liable for business rates. Specifically this data included:
a. The full name of the person or organisation liable to pay business rates
b. The full correspondence address for the business rate account
c. The business rates account reference
d. The amount of business rates payable
e. The property reference number
8. Has any data been made public or referred to publicly?
There has been no indication that the data is available or being referred to publicly anywhere.
This is, however, being continuously monitored and if this situation should change we will provide an update.
9. Is Capita checking the internet to see if this information is for sale?
South Staffordshire Council has confirmed that Capita will be monitoring the internet, and they have been asked to provide the council with information on any relevant publications.
To date, no information associated with the unsecure storage site have been found on the internet.
10. How have you assessed the risks?
Taking into account the nature of the information involved, for example that it does not include bank details, lack of any evidence that it has been accessed inappropriately and an assessment that its use fulness is limited we do not believe that there is a high risk to individuals arising from the incident.
This will remain under constant review - and if the situation changes or we become aware that the information has been accessed or made available - we will reassess this advice.
11. If the risks are low, why are you telling people?
Article 34(1) of the UK GDPR legislation requires notification to data subjects where there is a personal data breach which is likely to result in a high risk to the rights and freedoms of individuals and this should be done without delay.
Guidance from data protection regulators is clear that data subject notifications should not be taken lightly, and they guard against speculative notifications of data subjects which can result in greater distress than the breach itself.
In sending out a notification where the threshold is not met, there is a very real danger of communicating risk where there is none.
A relevant factor is whether the data subjects, if informed, would be able to take any steps to protect themselves from suffering any harm. Examples of high risk are financial fraud, physical harm and distress.
Based on the information available, we do not consider that the threshold set out in article 34(1) has been met
However, we are aware that the incident has been reported in the media, and in the interests of transparency have decided to provide this information.
12. Has Capita appointed a cyber security company for advice?
This issue is not the result of a cyber security incident.
Notwithstanding this, Capita has engaged their own technology specialist alongside third parties such as Amazon and Microsoft to assist with their investigation into this issue.
13. Is there a contract in place between South Staffordshire Council and Capita?
Yes, there is a contract in place.
14. Will you provide further updates on the situation?
Yes, if new information comes to light we will provide updates, we will continue to monitor this and if the situation changes or our analysis of the risks changes, we will provide further updates.
15.Where can I find good advice on how to protect my personal data or if I’m worried that any of my information has been compromised?
The Information Commissioner’s Office provides information about the precautions you can take to protect yourself from identity fraud or the misuse of your information: https://ico.org.uk/for-the-public/online/social-networking/#1