Chorley Council accused of data breach involving thousands of residents

A local council has reported itself to the information watchdog after being accused of a data breach involving thousands of its residents.

Friday, 7th May 2021, 8:22 am

Chorley says it took immediate action after being told confidential details involving complaints made by the public were visible on its website - and have been for the last eight years.

The authority insists no payment details could be accessed and the risk to the public was "low."

But the man who raised the alarm has claimed council officers have failed to notify those whose information was available online, saying they were "too busy with the election."

Sign up to our daily newsletter

The i newsletter cut through the noise

Chorley Town Hall where the alleged data breach went undetected for eight years.

"I would have at least expected them to have informed everyone whose details were on show by now, but they haven't," said the Euxton resident who asked not to be named.

"They quickly closed down the link and they have reported themselves to the Information Commissioner's Office. But people need to know if they have been affected."

The man says that by clicking on a simple link he was able to view 109 pages of data which he felt should have been confidential.

The information lists addresses in the borough which have made complaints about a wide range of issues from benefits to rat infestations and missing wheelie bins.

Chief executive Gary Hall says the council has reported itself to the independent watchdog.

"A lot of it could be seen to be quite innocuous," he said. "But if it fell into the hands of criminals these people's addresses could be targeted by scammers and conmen.

"It doesn't give the person's name, but it shows the full address and what the complaint was about. So it could mean someone could call on the address and gain entry by pretending to be from the council responding to a complaint."

The resident said he stumbled upon the information after he contacted the council online to report a problem with a car park in the town. In return he was sent an automated email containing a link.

"I clicked on it and I suddenly realised that through it I could see details of every resident who had made a complaint," he said.

The council files could be viewed by the public.

"I could see which addresses had ordered a new bin, where there had been a neighbour dispute, who had reported a rat infestation, who had reported their binmen for leaving rubbish behind, or even who had missed payments.

"I got on to the council and spoke to their data officer and they have now fixed it. But by all accounts the information has been on there open to the public for a long time.

"After a couple of weeks I asked them why they hadn't sent out a note to residents on that list to say what had happened and they said they were too busy with the election.

"If Chorley Council has had its information on show then which other councils have also had the same system which people could look at?"

Chorley Council says it did not believe that access to the information amounted to a data breach and therefore did not want to cause "unnecessary alarm" by alerting residents.

In a statement, chief executive Gary Hall said: “After undertaking a review of this functionality, we are satisfied that only the addresses of users would have been available to view through a targeted link sent directly to the relevant customer

“No names were on display, and it is our opinion that none of the other fields contained additional information that would combine to identify an individual. Furthermore, no payment data could be accessed.

“This functionality was actually introduced to benefit residents by enabling them to view the progress of service requests they had raised with us in a simple way, avoiding the need for them to log in or create an account.

“It has been in place since 2013 and, until now, we have had no reports of residents’ data being accessed by third parties.

“Although we believe the risk to be low, we do take all matters relating to the security of our residents’ personal data seriously and removed the functionality when alerted to the potential issue to avoid causing any unnecessary concern - despite the fact data would only be visible as the result of a degree of guesswork, luck or significant perseverance on the part of the wrongdoer.

“As an extra precaution, the user’s address is no longer a viewable field and access is now based on a GUID (Globally Unique Identifier) rather than the service request identifier.

“The council believes that this matter does not constitute a data breach and, as such, there has been no need to cause unnecessary alarm by alerting residents. There is no evidence that any other third party has accessed the data inappropriately.

“Nevertheless, we have taken the step of self-reporting the matter to the Information Commissioner’s Office. We will abide by their ruling and will take any additional recommended action.”