Skip to main content
  1. Gloucester City Council
  2. About us
  3. Data Breach Notification

Data Breach Notification

In December 2021, some information containing personal details of residents and members of the public held by Gloucester City Council was taken in a sophisticated cyber-attack by a cyber-criminal group.

We would like to reassure you that to date none of the information taken has been published online and, based on advice received from law enforcement agencies, we believe that it is now unlikely that it will be.

In February 2023, the UK Government took action against individuals connected with the criminal gang suspected of carrying out this attack. Please see the news article linked here for a full explanation of the action taken. UK cracks down on ransomware actors - GOV.UK (www.gov.uk)

As a purely precautionary measure for anyone who remains concerned, residents and members of the public who used our services can take the following steps, that are good practice in protecting against scams, fraud and cyber-crime:

  • If you spot any unusual transactions on statements inform your bank, building society and credit card company
  • Request a copy of credit files to check for any credit applications.
  • Report suspicious credit applications to Action Fraud, the national reporting centre for fraud and cybercrime online www.actionfraud.police.uk or by calling 0300 123 2040

You can also apply for protective registration with CIFAS (the UK’s Fraud Prevention Service) which ensures extra checks are carried out on any applications for financial services. Apply online at www.cifas.org.uk or call 0330 460 9601.

This is a notification of the conclusion of the cyber-attack that took place in December 2021 and not a separate or new incident. We would like to further reassure you that the National Crime Agency continues to monitor the activities of cyber-criminals and if we are made aware that any of the information taken during this incident is published online in the future, we will contact those affected.

We are very sorry for any inconvenience and concern this may cause. The Council’s Data Protection Officer is Tanya Davies. For more information, please see the FAQ section of this web page or contact our dedicated team on 01452 396396 (press *) or email data.enquiries@gloucester.gov.uk

FAQs

1. What type of information was taken during the cyber incident?

Examples of the type of information that may have been accessed includes:

  • Names, addresses and bank account and sort codes for council tax or business rate payers.
  • Notices relating to licensing and environmental health issues
  • Historic documents relating to social housing cases

The Council does not hold any of your credit or debit payment card information.

We do not believe any of the information taken has been published by the criminal group. Law enforcement agencies have informed us that in the eighteen months following the incident, they have not seen any of the information taken published by the criminal group or elsewhere. Based on advice they have given us, we believe that it is now unlikely that it will ever be.

2. Will the local authority be notifying individuals affected by the data breach?

In consultation with the Information Commissioners Office, and given the circumstances of this case, notification has been made by this website notice, press release and social media.

3. What are the potential consequences of the data breach for individuals affected?

We do not believe any of the information taken has been published or used by any criminal group. Law enforcement agencies continue to monitor the activities of such groups. In the unlikely event that we are informed that information is published in the future, we will then notify individuals affected.

The Information Commissioner’s Office advises that a personal data breach may, if not addressed in an appropriate manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identify theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage of the natural person concerned.

4. I would like to know exactly what data of mine was involved in this incident

We are not able to process any individual requests as the resources needed to identify what information was held about individuals would be extremely costly. The ICO have been aware of our attempts to do this using various technical methods and agreed with us that a general notification via this web page is acceptable.

It is our view that by publishing this web page, The Council has complied with the GDPR article 33 & 34 obligations contained within the UK Data Protection Act (2018).

5. Is it likely that my details have been / will be published on the internet?

Based on advice we have received from law enforcement agencies, and due to the multi-national investigation leading to the sanctioning of individuals connected with the cyber-criminal group involved in this incident, and the effective demise of this cyber-criminal group, we believe it is now very unlikely that any personal information will be published or used to defraud individuals. UK cracks down on ransomware actors - GOV.UK (www.gov.uk)

In the unlikely event that we are informed that information is published in the future, we will notify individuals affected.

6. Will the local authority be providing any support or assistance to individuals affected by the data breach?

General guidance on what to do if you are affected by the data breach has been provided on the web page in the notification.

As of the date of this notification, we are advised that the information taken has not appeared online. Law enforcement continue to monitor the internet, and if we are made aware that information is released, we will contact individuals affected.

7. Why are you telling residents now?

We have been working with cyber incident response experts to investigate the extent of the incident. This investigation has now finished and we are able to advise residents that some personal information may have been taken.

8. What do I do if I feel I have been affected by this incident?

If you have a concern or are unhappy with any aspect of this notification then please speak to our dedicated team on 01452 396396 (option *) or email data.enquiries@gloucester.gov.uk

9. How did the local authority become aware of the data breach?

The first indication of a cyber incident was on the morning 20 December 2021 when Council officers noticed issues with their systems.

10. What steps has the local authority taken to contain the breach and prevent similar data breaches from happening in the future?

We immediately reported the incident to the National Crime Agency, the National Cyber Security Centre and the Information Commissioner’s Office. We worked with them to minimise any risks and we also carried out an investigation with a Cyber Incident Response company.

We supported the criminal investigation and have been recovering and rebuilding the IT systems, continuing to invest in IT with additional emphasis on cyber security systems and staff training.

Report a problem on this page