A FIFE man has hit out after discovering a data breach involving Fife Council has affected around 2,800 householders.
Paul McGowan, who lives in Lochgelly, found out that a company that the council pays to manage claims suffered a ransomware data breach back in 2020 which led to 2,880 Fife claimants having data exposed.
Gallagher Bassett, an American-based international claims outsourcing business, discovered the breach in September 2020 and Fife Council were notified about the issue in late June 2021.
The details were revealed after Mr McGowan requested a Freedom of Information request.
“After initially making the claim for vets bills that were incurred when my dog was cut in a local park, I was informed that my details would be sent on to a claims company called Gallagher Bassett for processing," he explained.
"I was told the council did not need permission to send my data, which is then stored in Gallagher’s parent company system in the US, due to a “legal obligation” on behalf of the council.
"On further requests, I was told that this 'legal obligation' was for Gallagher Bassett to fight the claims on behalf of the council. Claimants are not informed of this when they put their claim in.”
Mr McGowan became concerned that his data had been passed to a third party company in the US.
Whilst investigating further, he found customers in the US had raised lawsuits against the company in regard to the data breach in 2020.
Mr McGowan, an IT cyber security consultant, said he was "astonished" to discover that it took nine months before Fife Council were informed of the breach.
"Initially, Gallagher had claimed that there had only been two people affected and this information was used by Fife Council to raise their disclosure to the Information Commissioner Office (ICO)," he explained. "The ICO confirmed on July 16 that no further action would be required and Fife Council closed the issue on July 26.”
Later emails showed that the council had later been told that 2,880 claimants may have had their data breached.
“I have professional concerns about the way that Gallagher has, and continues, to handle this matter. In my opinion, they are not telling us all the information," added Mr McGowan.
"I am also concerned about the lack of vendor risk management and data protection within Fife Council. I have recently raised complaints with both the council and the Information Commissioner Office on these matters."
Fife Council's legal services manager, June Barrie, explained that the council had commercial insurance in respect of legal liability for third party claims.
"Our insurers appointed Gallagher Bassett to handle third party claims made against the council," she said.
"When Gallagher Bassett made us aware of the cyber incident, we notified the Information Commissioner’s Office of the potential breach of the data protection legislation.
"Following an investigation, the Information Commissioner’s Office decided that regulatory action was not needed as the council had taken due diligence in sourcing a reputable data processor and had acted in a reasonable attempt to secure compliance with the data protection legislation.
"The council was not required to notify any claimants of a data breach."
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here