Derbyshire County Council has apologised after it was forced to temporarily shut down its jobs website after it revealed that a user’s account details were exposed to ‘a small number of visitors’ to the site during a data breach.
Another user who had visited the council’s Derbyshire jobs website on June 25 discovered she could access different people’s profiles after a friend had told her she had logged in and was faced with someone else’s profile details including names, addresses, phone numbers and job applications.
A county council spokesperson said: “On Tuesday, June 25, between 5.30pm and 7.30pm, a small number of visitors to the Derbyshire jobs website were taken to a web page displaying some information relating to another user’s account rather than their own. As soon as the issue was identified the website was taken down.
“We are very sorry this happened and have contacted 12 people known to be affected to inform them about the issue and offer support and advice.”
The council explained the Derbyshire jobs website is provided by an external technology company and the authority is taking the current issue ‘extremely seriously’ with that particular provider and the breach has been reported to the Information Commissioner’s Office.
A council spokesperson added: “All data was secured on the website and we carried out an urgent investigation with our supplier which confirmed the incident was caused by an external supplier software implementation issue and did not arise from a cyber-security incident.
“We have worked with the provider over the last few days to identify and rectify this technical issue and are now satisfied it has been resolved. We have also put in place additional security measures.
“The site went back online today (July 2) and we will continue to work closely with the provider to ensure website performance is optimised and that all data held within the site is stored securely.”
Applicants who were applying, or intending to apply, for jobs with Derbyshire County Council or with some of the council’s partnership organisations, schools and academies which had deadlines within the website closure period have been assured by the council those deadlines have all been extended.
The Information Commissioner’s Office which will be looking into the council’s report on the data breach upholds information rights in the public interest and promotes privacy for individuals.
And the UK General Data Protection Regulation has introduced a duty on all organisations to report certain breaches to the relevant supervisory authority and, according to the ICO, if a breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms the individuals involved must also be informed.
The UK GDPR states that a personal data breach if not addressed, can result in a loss of control over personal data, identity theft, fraud and financial loss, a loss of reputation, and a loss of confidentiality.
The ICO defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes, according to the ICO.