Council cyber attack: Emails may be used for scams

Edinburgh City Council was hit by the cyber attack. Picture: Scott Louden

13,134 individuals who have had their details stolen were contacted by the city’s director of corporate governance, Alastair Maclean, asking them to change any passwords used to access the council’s website.

The victims include thousands of members of the public who may have given an e-mail address while requesting a new recycling bin, challenging a parking ticket or reporting a pothole, as well as 400 of the council’s own employees.

In an e-mail sent yesterday, Mr Maclean insisted “no other personal data was taken”.

The attack is believed to have taken place on Friday, June 26, with council officials alerted by its data centre provider. No details have been released regarding the source of the attack, which targeted the council’s website service provider, based in England.

The Information Commissioner has been informed of the incident, as has the UK government’s computer emergency response team, which monitors incidents of hacking against the public sector.

Napier University cyber security expert Professor Bill Buchanan warned that hackers would be likely to try to use the data in “phishing” scams, which attempt to con victims out of sensitive information like bank details and passwords using bogus e-mails.

Prof Buchanan said: “Data like this is worth a lot. It is really quite sloppy to lose that information. Without a doubt, in this case, the intruders could link e-mails to the council in some way. A targeted phishing e-mail could say, in regards to a parking ticket, ‘You contacted us in May, please could you click on this link and give your details’. G-mail addresses in particular are quite sensitive because they tend to be the core of your online identity. If an intruder can get into that address, they can access every single account.”

The attack is thought to have taken place on Friday. Picture: Justin Spittle

Conservative leader councillor Cameron Rose said: “It’s taken us ten days to respond, which needs questions asked.

“A key part of the council’s strategy is to move business online, but unless its secure, an incident like this saps public confidence.”

This is the second time in five years that the council has been hacked. In December 2011, the personal information of people who had contacted the council’s debt advice service was taken, with potential victims advised to check bank and credit card statements.

A spokesman for the council said: “This was a malicious cyber attack on the council’s website which is hosted in a UK data centre. It was dealt with swiftly and at no point were any council services affected.

“We want to reassure the public the ongoing security of our website is critically important.”

‘NO CHANCE’ OF FENDING OFF HACKERS

NAPIER University’s Professor Bill Buchanan said that the public sector, including councils, had “nowhere near” the level of funding needed for cyber security, and could not afford the same defences as the private sector, despite hoovering up growing amounts of public data.

“They have no chance to keep up with state-of-the-art security,” he said.

“The public sector aren’t up to what you would see in private industry. If it can happen to Sony, who lost all their movies, then it can happen to any organisation.

“Councils should set up detection systems, almost like trip wires, so that if something happens on a network that doesn’t look quite right, then they can pick that up. It’s too late after it’s happened.”