Published: 10:21, 10 July 2019
| Updated: 10:21, 10 July 2019
Residents’ personal information was made available to anyone due to a fault with an online inquiry form system.
Medway Council quickly addressed the bug when it was alerted to it by technology news site The Register.
The authority has now referred itself to the Information Commissioner’s Office.
The forms in question were devised as part of the Kent Channel Migration Project, a scheme involving various bodies throughout the county aimed at encouraging greater use of technology.
The launch of the project had already been held back due to “very clear flaws in usability and design”.
The council says just one form was affected but it is thought the issue meant users were able to access and edit data, which included names, phone numbers and email addresses.
Security researcher Paul Moore told The Register such bugs should be identified with “the most rudimentary tests” but with public sector budgets being sliced it was increasingly difficult to ensure necessary security measures were being taken.
The council’s assistant director of transformation, Carrie McKenzie, said: “We would like to reassure residents this was an isolated issue with our inquiry forms, which involved web links being manipulated to gain access. The inquiry forms give residents the opportunity to provide their name and contact details for a member of staff to assist them with their inquiry – these forms do not request financial details.
“As soon as we became aware that a technical expert had gained access to some forms on our website, we immediately removed all potentially affected forms. We have also taken action to fully resolve the technical issue to avoid this happening again. We have provided the Information Commissioner’s Office with an initial report, and have steps in place to ensure all data is protected.”
The council was first rapped by the ICO in 2017 after failing to send staff on data protection training. The ICO confirmed the authority has now complied with the requirements.
In 2014 the council’s Twitter account was hijacked by a group calling themselves the ‘citizens of Medway’ who announced council tax was being scrapped.