Data breach lessons

Last week, hackers stole 13,134 email addresses from City of Edinburgh Council – professor Bill Buchanan of Edinburgh Napier University offers his verdict.

At a first look, the hack involving City of Edinburgh Council reported earlier this week doesn’t look too serious as there does not seem to be any passwords involved. All that has been revealed is email addresses, which can often be gained from other sources.

The only threat would be in spear phishing of users with council-related emails, but the users involved probably will be wary of any emails sent from the council anyway.

For councils, possibly they should learn from others with larger budgets. As with the US hack on OPM (Office of Personnel Management), the focus is increasingly on detecting the first signs of a hack and try and overcome it. Like it or not, this tends to be a human activity, running 24×7, and using advanced logging methods, which councils will struggle to afford.

Really, the public sector are struggling to keep up with the pace of increasing the integration of IT but in also properly supporting it. If the US OPM can’t do it properly, the UK public sector will especially struggle.

For this amazing city, we have so many companies involved in computer security and we are building an infrastructure of Cyber Age companies. There thus needs to be more ways to share best practice to support all stakeholders and we hope to help with the development of The Cyber Academy, which is a place where everyone can share information.

No one domain can hold all the knowledge in this new information age and we must all work together to share best practice. The public sector needs it as much as any, especially in supporting the drive to get services online.

I had a case just the other day where I could change the address on my driving licence online, but if I want to change the address on my vehicle I need to fill in a form (and sign it – tut!) and send it back.

The UK and Scottish governments have targets of allowing citizens to get access to their health records by 2020, so the public sector will have to learn how to set up detection systems in order to stop large-scale data breaches, and hopefully share resources and intelligence.

This article is based on Edinburgh Breach – Can The Public Sector Keep up with Computer Security?, an article by Professor Bill Buchanan of Edinburgh Napier University.​

Colin Marrs

Learn More →

Leave a Reply

Your email address will not be published. Required fields are marked *

Thank you! Your subscription has been confirmed. You'll hear from us soon.
Subscribe to our newsletter