Ceredigion council data breach 'could have lasted 11 years'

  • Published
Ceredigion council offices in AberystwythImage source, Ian Capper/Geograph
Image caption,

Ceredigion council said it had referred itself to the Information Commissioner's Office.

Sensitive personal information could have been on a council's website for 11 years, it has been claimed.

Documents containing people's names, addresses and medical conditions were publicly available on Ceredigion Council's website on Thursday.

The man who notified the council of the breach said he reported the same data on the council's website in 2007.

The council said it had made a self-referral to the Information Commissioner's Office (ICO).

The confidential documents, which were taken down on Friday, were listed as attachments to the council's cabinet papers from meetings held in 2004.

Some of the documents included sensitive, personal data - names, addresses and medical conditions - of individuals living in Ceredigion.

Among the dozens of papers there were also details of the purchase of a plot of land in Aberystwyth where the council and Welsh Government now have offices.

Image source, Getty Images

James Davies, a resident of Borth near Aberystwyth, saw the files on the council's website last Thursday and contacted the ICO.

Mr Davies said he was arrested on suspicion of hacking the council's website in 2007 after he reported a similar data breach to the council.

He was later released with no further action after spending some time in a cell, he said.

Mr Davies told the BBC that some of the confidential documents he saw on the council's website were the same ones he saw 11 years ago.

"I am concerned that the files could have been publicly available on the council's website for the intervening 11 years," he said.

"I am shocked that vulnerable people were still at risk of their data being in the public domain so many years after I originally drew attention to the issue."

A Ceredigion council spokesperson said it was unable to comment on the specifics of how long the data had been available online until its investigation was complete.

"The council wishes to apologise for this error and there is an ongoing investigation into the exempt information that was available online and measures are being put into place to improve the system," the spokesperson said.

"The council has also made a self-referral to the ICO. The outcome of the investigation will be presented to councillors when investigation is complete."

The ICO would not comment on the case specifically.