FOI Request Data And Cyber Security
I am writing to you under the Freedom of Information Act to request information regarding data and cybersecurity incidents in the calendar year 2017 affecting information owned, processed or generated by your local authority.
 Please may you provide me with the number of data breaches that occurred of your organisation's owned, processed or generated information in the calendar year 2017.
[1.2] Please may you provide me with a list of details regarding these breaches (i.e. when they occurred, how they occurred, and what information was lost).
 If your organisation differentiates between data breaches and data incidents, please may you provide me with the number of data incidents that occurred of its owned, processed or generated information in the calendar year 2017.
[2.2] Please may you provide me with a list of details regarding these incidents (i.e. when they occurred, how they occurred, and what information was lost).
 Please may you provide me with the number of cyber security incidents that occurred within your organisation in the calendar year 2017.
[3.2] Please may you provide me with a list of details regarding these incidents (i.e. when they occurred, how they occurred, whether information was exposed, and how the incident was handled, if recorded as a crime by the police and/or whether the National Cyber Security Centre was informed).
|November 2017||Member of public reported road issue, as part of actions to deal with request contact was made to Scottish Water. Contact details for member of public incorrectly disclosed to Scottish Water.||Human error - Request sent to Scottish Water to delete information and confirmation of deletion was received. Relevant staff given additional data protection training.|
|September 2017||Email regarding pupil was sent to the wrong parent. Email sought to schedule a new date for a meeting. Email did not disclose nature of meeting or any personal information of pupil or parents beyond names.||Human error - Email sent to wrong recipient. Pupil and parents informed and apologised to. Delectation request sent and confirmation of deletion received from incorrect recipient.|
|March 2017||E-mail sent to 49 service users; e-mail addresses included in email as 'CC'ed', not 'bcc'ed'||Human error. Apology sent with request for original e-mail to be deleted. Team to discuss and use as a 'lessons learnt' experience|
|January 2017||E-mail to parent accidentally contained information further down the chain relating to another parent and their children (non-sensitive data only)||Human error; e-mail to external addresses could not be recalled. Incident reported to controller and recovery procedures undertaken. Requested deletion of email sent in error. Confirmed received that email deleted by incorrect recipient|
|January 2017||E-mails with an attachment containing a letter about expiry of insurance, return of taxi plates and end of licence for an individual was accidentally sent to incorrect email addresses.||Human error. Follow up e-mail requesting deletion of previous email sent in error. Most information included in emails otherwise publically available.|
|May 2017||DPA destruction issue.
Care Inspector informed service that their register of admissions broke DPA; service double checked this with the Care Inspector verbally and then complied with the demand to destroy the then-current register (Dec 2015 - May 2017). The following day a phone call was received from the Care Inspector apologising and stating that the register should indeed have been created and maintained.
|Information is being pieced back together were possible, but not all information is likely to be recovered.|
3.2) Both incidents occurred in Sep 2017 and related to phishing emails.
In one case, a user clicked on a link but there was no confirmed infection or any evidence of impact on security - device was quarantined and re-imaged as a precaution. No information was exposed. The incident was not reported the Police nor the NCSC.
In the other, a number of emails were quarantined and upon investigation it was evident that these were clearly part of a targeted phishing campaign. No information was exposed. The incident was not reported to the Police nor the NSCS but information was posted on the CiSP to inform others.