The home page of Oxford City Council displays an alert:
“Disruption to ICT systems and services: We have been experiencing issues with some of our services following a cyber security incident. Most systems are now back online. Thank you for your patience as we work through any backlogs.”
The full notice indicates that they experienced an attack over the weekend of June 7 – 8.
At first, their notice sounded encouraging, noting that their automated security systems had “kicked in, removed the presence and minimised the access the attackers had to our systems and databases.”
Proactively taking down each of the Council’s main systems to carry out full security checks and investigate the incident resulted in disruption to some services, but the Council’s email systems and wider digital services were found to be secure.
But then you get to the part that is not such good news:
Unfortunately, the attackers were able to access some historic data on legacy systems. We have now identified that people who worked on Oxford City Council-administered elections between 2001 and 2022, including poll station workers and ballot counters, may have had some personal details accessed. The majority of these people will be current or former Council officers.
Why was unencrypted 20-year-old personal information connected to the internet?
The Council attempts to reassure people by saying there is no evidence to suggest that any of the accessed information has been shared with third parties and so far, their investigation does not find evidence of a mass download or extraction of data, but again, why was unencrypted 20-year-old personal information connected to the internet?