An 8,000% surge in financial data breaches affecting millions across the UK central government between 2019 and 2023 points to a “potential crisis” in public sector cybersecurity, according to a Freedom of Information request to the Information Commissioner’s Office (ICO).
The alarming statistics derive from reports of personal data breaches made to the ICO under GDPR rules. Despite confirming a review of its enforcement approach, the ICO has yet to indicate whether the massive breach spike, impacting 195 million people in 2023 alone, will prompt stricter action.
“These figures are staggering and suggest a looming data security crisis that public bodies can no longer ignore, warned AJ Thompson, Chief Commercial Officer at IT consultancy Northdoor plc. “Tougher enforcement is key – the ICO must consider stronger oversight instead of its current ‘soft’ approach to compel the public sector to take this threat more seriously.”
Thompson pointed to high-profile incidents laying bare systemic vulnerabilities, citing examples like Sefton Council facing a 50% monthly increase in cyberattacks targeting ageing IT systems. “Councils like Sefton readily admit significant work is needed to modernise security,” he said.
“Similarly, Bristol City Council remains at heightened risk due to critical delays in updating legacy software – a key target for sophisticated cybercriminals looking to exploit outdated technology.”
The devastating impacts were underscored by the 2021 cyberattack on Gloucester City Council. “Russian hackers crippled essential services for thousands, disrupting benefits, planning, and property transactions,” Thompson stated. “The £800,000 cost to taxpayers is a sobering reminder of these threats.”
While not every breach warrants action, the expert insisted the volume indicates an epidemic that demands an urgent, comprehensive response:
“Even with robust processes, breaches can occur due to increasingly sophisticated tactics,” Thompson said. But all too often, people remain unaware their data was compromised until councils are fined—a failure to adhere to GDPR disclosure obligations that undermine public trust.”
The solution, according to Thompson, is for councils to partner with third-party IT consultants to implement 360-degree cybersecurity monitoring and 24/7 coverage through advanced solutions:
“Technologies like Managed Detection and Response, Risk Assessments, Cloud Monitoring, and Security Awareness Training provide broad visibility seamlessly integrating with existing systems,” he explained. “Expert third-party teams act as an extension of internal IT staff, offering ongoing strategic guidance to continuously improve security posture.”
Thompson stated, “By turning to AI-powered solutions for comprehensive vulnerability tracking, councils can protect data integrity, safeguard reputations, decrease breach risks, and mitigate devastating financial penalties from the ICO.”
“This is a crisis local governments cannot afford to ignore any longer. Implementing cutting-edge defences through collaborative third-party partnerships is crucial before even more catastrophic incidents occur.”
