Just as Edinburgh City Council embarks on its transformation to a local authority dependent on internet and e-mail access to its services by the public, along comes the worst digital theft to hit a Scottish council.
In some quarters there have been almost desperate attempts to play down the hacking of 13,000 e-mail addresses that had been submitted through the council’s web portal.
The line appears to be “it was only e-mail addresses” and, thank heavens, not more personal material. That excuse stinks. Like a lot of people, I have several e-mail addresses – one for work and business, one for social use, and one that’s strictly for family and friends and is only given to them.
The first two have long been invaded by annoying spammers and phishers, and that is what I fear will happen to the 13,000 victims of this hacking crime. It’s just not good enough to say “it was only e-mail addresses” because the fact is that those addresses were given to the council in confidence and people had the right to expect them to remain confidential between themselves and the council.
OK, the council itself was not directly responsible for the security breach – that was the fault of an English service provider which we must presume will now lose that contract. They will, won’t they? Because if they don’t then we can only assume that the council itself was indeed at fault, and that such a breach could happen again.
Questions also have to be asked and answered as to why it took ten days for the council to admit that there had been a data theft. I strongly suspect that no-one bothered at first to ask the council’s public relations department as to what should be done – if they had been asked, the experts in the department would surely have recommended full and immediate disclosure of the theft, but I suspect they were probably the last people to be told about it.
I have to agree with Councillor Cameron Rose’s point about the “reputational damage” this incident has caused the council. The Conservative group leader and I rarely see eye to eye on most subjects, but on this matter he is absolutely correct.
As he said: “A key part of the council’s strategy is to move business online, but unless its secure, an incident like this saps public confidence.”
Too right. Will anyone really trust Edinburgh City Council with any such information again?
The council should call in an independent expert who really knows about such issues and how to deal with them. In a spirit of positivity, can I recommend Professor Bill Buchanan of Napier University?
In an excellent article called Edinburgh Breach – Can the Public Sector keep up with Computer Security?, Prof Buchanan wrote: “The public sector are struggling to keep up with the pace of increasing the integration of IT but in also properly supporting it.”
He then made a remarkably sensible suggestion – that private and public sectors co-operate in the new Cyber Academy which Napier launched in May.
The Academy will be “a place where everyone can share information”, in the professor’s words.
“We must all work together to share best practice,” he added.
That’s spot on, professor, and your local council should now be knocking on your door for help.
I’m already looking forward to Fanfare, the Fringe’s brass band extravaganza set for Sunday, August 23, on the Water of Leith walkway. Let’s hope the weather improves by then.
Crash pair’s families deserve action
The tragedy of Lamara Bell, pictured, and John Yuill who died following a car crash beside the M9 after Police Scotland attended the scene three days late is almost unspeakably painful to those of us who believe that our police force really is the best anywhere.
I find myself agreeing with Liberal Democrat leader Willie Rennie – another rarity for this column – that there should be a fully independent inquiry into Police Scotland’s handling of calls from the public. Forget the Police Investigations and Review Commissioner’s inquiry – get a top criminal lawyer to investigate and, if necessary, haul those responsible before the courts.