Worthing and Adur residents' data 'not yet used by hackers' following breach

In May, file-transfer software MOVEit was the subject of a data breach, with Adur and Worthing residents data potentially available to scammers after data from two council contractors, Jacobs Enforcement and Rundels, was exposed.

Adur & Worthing Councils launched an investigation, with a spokesperson saying: ““We are extremely unhappy that some of our residents' data has been able to be accessed in this way. Although the risk to our residents in this case appears to be low, they have the right to expect their personal data to be protected.

“We treat data protection extremely seriously and are currently identifying each and every one of our residents that has been affected so that we can contact them to apologise.

“We are also liaising with the national cyber-security team, the Information Commissioner and our contractors to ensure that everything is being done to prevent something like this happening again.”

The findings of the councils’ data protection team (DPT) investigation iwere presented to the joint audit and governance committee on Tuesday, September 26.

The DPT said 84 council customers had data involved in the leak – five from Jacobs and 79 from Rundels – and started with a subprocessor, or subcontractor, Adare Sec, used as a print supplier by the debt enforcement contractors.

This meant Adare Sec had access to the data Jacobs and Rundels were contracted to handle, including customer names, addresses, debt types and amounts, and had been the ones using MOVEit – both contractors and the councils stated they did not use MOVEit themselves.

The DPT said it were ‘not aware’ of Rundels using Adare Sec as a subprocessor, and will now be demanding information about subprocessors intended to be used by both contractors when amending their contracts.

Affected residents’ data, to the DPTs knowledge, had not yet been used by scammers or the hackers who stole the data, and all residents affected by the Jacobs’ breach were not living at the address listed in the data.

The Office for National Statistics (ONS) was also implicated in the breach, as it used MOVEit to receive monthly stats from the councils, but said no compromises as a result of MOVEit to that data or their systems had been found.

Committee members questioned why legal action against the contractors was not to be pursued by the councils, and why they had chosen to revise Jacobs’ and Rundels’ contracts instead of finding other contractors to work with.

The DPT said: “Certain areas of work, take Rundels for example, are quite specialist areas and so there are not many suppliers to choose from, so that limits us automatically in terms of choice, in terms of supplier. [The decision] was to amend the contract, to vary that, to bring those subprocessors in.”

Members of the DPT said it was a ‘difficult pill to swallow’ as the subprocessors had been brought in without their ‘knowledge or consent’, adding they were ‘very disappointed’ with the ‘unfortunate’ breach.

The breach at Rundles was classified by the DPT as medium-risk, and reported to the Information Commissioner’s Office, a non-departmental public body which focuses on data protection, with the Jacobs breach classified low-risk.