For the second time in five years, Edinburgh City Council has been hacked again. More than 13,000 email addresses were stolen from the counsel’s database after a “malicious cyber attack” on 26 June.
A spokesman of the council said, “This was a malicious cyber attack on the council’s website which is hosted in a UK data centre. It was dealt with swiftly and at no point were any council services affected.”
“We want to reassure the public the ongoing security of our website is critically important,” he added.
According to a news report published on Edinburgh Evening News, cyber security experts have warned local authorities “don’t stand a chance” against hackers.
“The attack is believed to have taken place on Friday, June 26, with council officials alerted by its data centre provider. No details have been released regarding the source of the attack, which targeted
the council’s website service provider,” the report read.
The Information Commissioner has been informed of the incident, as has the UK government’s computer emergency response team, which monitors incidents of hacking against the public sector.
The council is now contacting 13,134 individuals who have had their details stolen. Similarly, the city’s director of corporate governance, Alastair Maclean, has been asking them to change any passwords used to access the council’s website.
Napier University cyber security expert Professor Bill Buchanan warned that hackers would be likely to try to use the data in “phishing” scams, which attempt to con victims out of sensitive information like bank details and passwords using bogus e-mails.
“Data like this is worth a lot. It is really quite sloppy to lose that information. Without a doubt, in this case, the intruders could link e-mails to the council in some way. A targeted phishing e-mail could say, in regards to a parking ticket, ‘You contacted us in May, please could you click on this link and give your details. G-mail addresses in particular are quite sensitive because they tend to be the core of your online identity. If an intruder can get into that address, they can access every single account,” Buchanan added.
In December 2011, the personal information of people who had contacted the council’s debt advice service was taken, with potential victims advised to check bank and credit card statements.