Islington Council accidentally leaks data after posting information to mySociety website

News by Dan Raywood

Islington Council experiences a data leak, with sensitive information about residents posted online for two weeks.

Islington Council experiences a data leak, with sensitive information about residents posted online for two weeks.

According to the Islington Tribune, the names and addresses of 2,400 tenants were posted on the mySociety website when the council responded to a Freedom of Information Act request regarding the ethnicity and gender of people it had rehoused.

A spreadsheet containing the information was sent to the website 'WhatDoTheyKnow' which published it online, but the spreadsheet also contained tabs with the names, marital status and addresses of 2,400 residents. This data was online for two weeks before the council was notified of the error.

According to a statement by 'WhatDoTheyKnow' owner mySociety, in one file the personal data was contained within a normal spreadsheet, while in the two other workbooks the personal data was contained on four hidden sheets.

Tom Steinberg, founder and director of mySociety, said that all requests and responses sent via WhatDoTheyKnow are automatically published online without any human intervention, so the Excel workbooks went instantly onto the public web, where they only attracted seven downloads in total.

“Shortly after sending out these files, someone within the council tried to delete the first email using Microsoft Outlook's ‘recall' feature. As most readers are probably aware – normal emails sent across the internet cannot be remotely removed using the recall function, so this first mail, containing sensitive information in both plain sight and in (trivially) hidden forms remained online,” he said.

A recent Egress and SC Magazine survey revealed that 74.5 per cent of respondents had received an Outlook recall message. Tony Pepper, CEO of Egress, said that the recent problems at Islington Council were consistent with the challenges it sees on a daily basis across all sectors.

He said: “Organisations are failing to implement the right technology solutions in order to share information securely outside their networks and they are failing when it comes to educating their employees (the end-users) so that they understand how and when to send information securely.

“The fact that 74.5 per cent of people surveyed admitted to receiving an Outlook recall message is startling. It demonstrates that there is a huge amount of information being sent to the wrong recipients. Judging by the Islington Council example, these end-users may think that by sending the ‘recall' request they have prevented the information being shared, which is completely incorrect.”

Steinberg also admitted that on the 26th June, the date the workbooks went live, the Excel spreadsheets that contained a large amount of personal information in the tabs was included. However it did not receive any notification from Islington Council or anyone else that problematic information had been released not once, but twice, even though all emails sent via WhatDoTheyKnow make it clear that replies are published automatically online.

He said: “Had we been told we would have been able to remove the information quickly. It was only by sheer good fortune that [one of] our volunteers happened to stumble across these documents some weeks later, and she handled the situation wonderfully, immediately hiding the data, asking Google to clear their cache, and alerting the rest of mySociety to the situation. This happened on the 14th July, a Saturday, and over the weekend mySociety staff, volunteers and trustees swung into action to formulate a plan.”

He said that on Monday 16th July, it alerted both Islington Council and the Information Commissioner's Office about what had happened with an extremely detailed timeline.

“The personal data released by Islington Borough Council relates to 2,376 individuals/families who have made applications for council housing or are council tenants, and includes everything from name to sexuality. It is for the ICO, not mySociety, to evaluate what sort of harm may have resulted from this release, but we felt it was important to be clear about the details of this incident,” Steinberg said.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews