Council accidentally leaks addresses of vulnerable residents with IT blunder that ‘could have cost lives’

By Jacob Dirnhuber, Local Democracy Reporter | Thursday 29 July 2021 at 16:07
Lydia Afrakomah, 32, and her six-year-old daughter spent over a year in a Hackney Council hostel after being made homeless in 2019 – but her exact location was leaked online when an IT worker uploaded an unredacted spreadsheet to a public Trello board.

IT workers at Hackney Council accidentally made a staggering cache of personal data on vulnerable residents available to anyone with an internet connection, a major Citizen investigation reveals today.

The astonishing privacy breach came when senior managers chose the wrong privacy settings on a free-to-use project management website – and was only fixed when we tipped off the council’s press team last week.

Our probe comes just six months after cyber criminals leaked a trove of confidential documents stolen in last October’s ransomware attack.

Mayor Philip Glanville vowed to take “additional action” that day to protect residents from further leaks.

But within a month, an IT worker had carelessly made public an unredacted spreadsheet that contained the names and addresses of women placed in temporary accommodation for their own safety.

Four weeks after that, a separate upload published contact details for council estate tenants who had requested repairs to boilers, buzzers, and broken doors.

Other documents mistakenly posted online included a screenshot showing a vulnerable tenant’s address and national insurance number, case notes from a welfare check on a “frail” resident, and minutes from a high-level housing meeting that revealed the council was losing £500k a month because the cyber attack knocked out its arrears collection service.

The blunders were not the work of inexperienced trainees, but senior managers in the council’s widely-praised IT team – one of whom repeatedly shared links to a public Google doc that revealed which flats would be left empty during the school run.

We decided to investigate the council’s data protection arrangements after discovering that it had inadvertently named a key witness in a gang-related stabbing by posting links to a poorly-redacted police report in the description of a YouTube video.

Within a week we had uncovered a network of 51 ‘Trello’ boards used by over 220 council employees and contractors.

The site is popular with tech firms and small businesses, and allows teams to streamline workflows with lists of task ‘cards’ on each board.

When setting up a board, administrators are invited to pick from three privacy settings – ‘private’, which makes boards invite-only, ‘workspace’, which limits access to members of their organisation, and ‘public’, which allows anyone on the internet to see.

The default privacy setting is ‘workspace’ – meaning that IT managers had to go out of their way to make boards visible to the public.

The spreadsheet containing addresses for Lydia and other vulnerable council tenants was freely available on the internet for five months (artist’s impression – original sheet not shown for data protection reasons).

A post on a board set up to induct new members of the IT team explicitly warned users to be careful when using sites like Trello.

It said: “You are responsible for making sure that any work-related information you use is kept secure at all times. If you don’t take steps to protect work-related information while using such tools, it could put people and services at risk.”

Single mum Lydia Afrakomah, 32, was placed in temporary hostel accommodation after she and her six-year-old daughter were made homeless in 2019.

The pair spent nearly a year living in a one-room flat with rat-infested stairways and no washing machine.

The building where they stayed is believed to house up to 100 vulnerable residents – including dozens of at-risk women and children.

A council source admitted that the exact location isn’t publicised for safeguarding reasons.

But Lydia’s name and address was carelessly made public in February when an IT worker uploaded a spreadsheet listing women and children in temporary accommodation.

Several entries contained an exact hostel room number.

The unredacted Excel file could be downloaded and opened without entering a password – and was freely available through Google until we flagged the breach in late July.

Lydia told the Citizen: “I trusted the council to protect me. When I was made homeless I was at their mercy. I thought they would keep me and my daughter safe – but this feels like a betrayal.

“It’s terrifying to find out that our address was on the internet for so long. I’m so angry that I don’t know what words to use, and I’m scared to even think what could have happened to us.

“There’s CCTV everywhere inside, but I went in and out with my daughter every day – it wouldn’t be hard for someone to just wait outside.

Another file made public by accident showed sensitive biographical information for a ‘vulnerable’ tenant in the 20-storey Thaxted Court tower block.

“Making that document public was reckless. There are people there who have been taken away from their abusive partners to a place of safety.

“That place isn’t safe now, because those partners could find out where the council takes vulnerable women.”

Lydia finally left the hostel in March – and has gone on to find full-time employment as a qualified social worker.

She added: “I moved to Hackney from Ghana eight years ago and I’ve wanted to be a social worker since I got here. I want to help people because I want to give children and families the kind of support I didn’t get.

“I want to fight for people, because I know how it feels when someone doesn’t listen to you and doesn’t give you a voice.

“All I want to do is help vulnerable people to be safe – I just wish the council had done that for me.”

Domestic violence campaigner Ngozi Fulani raged: “Putting that spreadsheet on the internet for five months s the worst data breach I have ever seen.

“Vulnerable women could have been killed because of this. They might still be killed because of it.

“Perpetrators stop at nothing. They’re relentless and some treat finding their estranged partners like a full-time job.

“Heads need to roll – saying sorry isn’t good enough. The Citizen has performed a heroic public service today in exposing the council’s negligence and getting the files taken down.”

A screenshot posted by a ‘service designer’ on a board set up to troubleshoot the council’s Covid-19 helpline revealed the name and partial address of a ‘frail’ man in Stamford Hill who had no friends, no family, and only a microwave to cook his food (artist’s impression, council redactions in black, Citizen redactions in red).

The same Trello board contained the name, address, birthday, phone number, email, and national insurance number of a resident in the 20-storey Thaxted Court tower block.

An entry at the bottom of his profile noted: “Tenant is vulnerable”.

The board’s administrator is a senior member of the IT team who the Citizen has chosen not to name.

Users are reminded to complete a ‘Privacy Impact Assessment’ if they are “using personal information you have already collected in a new way or using a new tool, like Google Forms, to process personal data.”

But the administrator in question repeatedly posted links to an unsecured Google doc that laid out the potential whereabouts of residents in excruciating detail.

A column listing provisional repair times for each address showed several jobs that needed to be wrapped up by 2.30pm at the latest.

Each entry with a 2.30pm finish had the same adjacent note: “SR (School Run)”.

The blatant disregard for residents’ dignity and personal privacy was summed up on a board set up to streamline the council’s Covid-19 helpline – when a ‘service designer’ illustrated a complaint about line breaks in case notes by sharing a harrowing report from a support worker in Stamford Hill.

A token effort had been made to obscure the “frail” resident’s identity in the email itself – but the carelessly unredacted subject line exposed his name and plight to everyone who saw the screenshot.

The note read: “I received a call from the food charity The Boiler House who reported [REDACTED] did not have sufficient cooking facilities and appeared to be very frail.

Attempting to make a Trello board public triggers a warning that anyone on the internet will be able to see the contents.

“I then contacted [REDACTED] and he advised he does have a care worker but couldn’t say what department she was from or how often she is in contact with him.

“He confirmed he only had a microwave and had no friends or family and his basement flat was not suitable with his mobility issues.”

Leigh White, 52, saw his name, phone number, and address leaked in March after the repairs team sent a letter offering to upgrade the boiler in his Frampton Park Estate flat.

He called to book a visit within minutes of opening the envelope – only for his data to appear on a Trello card about making the repair hub more user-friendly.

Leigh told the Citizen: “When I give out my number, I give it out in confidence. I’m really angry that they’ve been so careless.

“Everyone’s been getting spam texts recently, and I think I’m pretty good at spotting them – but if a burglar texted me my own address, used my name, and told me to pick up a parcel from the post office, I’d probably head out and give them enough time to ransack the place.

“I’m furious that it was out there for so long, and I can’t believe that it only got taken down because of a newspaper.”

His anger was matched by an elderly woman on the Amwell Court Estate whose contact details were published by workers trying to speed up payments to maintenance contractor Alphatrack Systems.

She fumed: “I’m not happy with this. Once you give your information it’s supposed to be private. They’re supposed to look after us, not put our data on the internet. It makes me feel like they don’t care.”

The sheer number and severity of the breaches could see cash-strapped Hackney Council hit with a record-breaking fine from the Information Commissioner’s Office (ICO).

Trello allows users to streamline workflows by creating ‘cards’ for each task (screenshot from the Covid-19 helpline troubleshooting board).

Neighbouring borough Newham was handed the current biggest fine for a local authority data breach back in April 2019 – when it was stung for £145k after accidentally emailing data on 203 suspected gang members to charities and social workers.

A spokesperson for Hackney Liberal Democrats said: “The major breaches uncovered by this Citizen investigation are simply shocking, and highlight just how incompetent Hackney Council are when it comes to protecting residents’ data.

“In isolation this would be bad enough, but against the backdrop of last year’s cyberattack, you would think that any competent local authority would have fully reviewed its IT procedures and data protection arrangements, and picked this up.

“Obviously they did not, and their carelessness has put vulnerable residents at risk.

“These Trello boards were used and administered by senior members of the IT team who couldn’t even get the privacy settings right. The level of incompetence is astonishing.

“Hackney Council needs to immediately make all residents impacted by these breaches aware of what has happened to offer them a personal apology, but also allow for them to raise this serious matter further should they wish.

“We will also be making the ICO aware of these breaches, as Hackney Council can clearly not be trusted to resolve their data protection issues and should not be allowed to mark their own homework on any subsequent investigations and reviews that come out of this.”

Hackney South and Shoreditch MP Meg Hillier added: “Thank you to the Citizen for drawing attention to this issue. The breach of data is a serious matter and I am pleased that the council has worked swiftly to tackle it.”

Data protection expert Emily Overton blasted: “Given that Hackney Council clearly use Trello so often, I’m shocked that they haven’t paid attention to the privacy settings on their boards.

“To be blunt, councils exist to help residents – their biggest responsibility is keeping people safe. When you’re in that position of power, you have to consider the potential impact of everything that you do and prepare for the worst-case scenario.

“This leak throws up a lot of red flags to me. I used to work for councils and part of my job involved reading social care files.

“Some of the things I read were disgusting, and it really opened my eyes to what’s out there.

Hackney Mayor Philip Glanville apologised for the breach – but played it down as affecting ‘a small number of residents’. Photograph: Hackney Council

“Sharing the address and room number of a family in temporary accommodation is negligent – who knows who could have seen it, or what they’d do with that information?

“We’re already in a pandemic, there’s a huge mental health crisis that’s claiming more lives by the day. Why risk adding to the stigmas people feel by letting everyone know that they struggle to feed themselves, that they have mental health issues, or are living in temporary accommodation?

“Councils need to understand that leaked data can have real-world consequences. It’s not about whether or not there’s a leak, it’s about what could happen as a result.

“When you consider the potential impact of making some of this data public, does the convenience of using Trello really matter?

“I constantly worry about the risk to my personal and professional life if my data was to be made public, and I feel sick to hear that councils aren’t aware of the impact it can cause by being this careless.”

Hackney Mayor Philip Glanville dismissed the breach as “relatively small” as he apologised to residents – and stressed that an “extensive audit” by the IT team had closed the remaining boards.

Part of that audit involved the council asking the Citizen for a list of links to all 51 boards – four days after we first explained how to find them manually. Many were still public when we emailed the list last Friday.

He said: “I want to apologise on behalf of Hackney Council to residents affected by this data breach, in which a relatively small number of cases of personal information were shared publicly in error.

“We corrected any public access issues as soon as we were made aware of them, and have carried out an exhaustive audit of all our Trello boards to ensure there are no more corrections that need to be made.

“Hackney Council, like many local authorities, has a policy of openness. This is part of our commitment to transparency both internally and externally, and so that we can work collaboratively with other councils to improve local public services for residents.

“Aside from these small number of cases, our Trello boards are used in line with the council’s policies for the secure handling of personal or other sensitive data.

“We have clear measures that we take to protect the data we hold and we will continue to regularly remind staff of their responsibilities and the safeguards needed.

“When we fall short of the standards I, the council and residents rightly expect, that we will say so and take the necessary steps to put it right including contacting the ICO.

“This issue is completely unrelated to the cyber attack and not a reflection of our commitment to security or our recovery work.”

Update: this article was amended at 18:25 on 29 July 2021. The article originally stated that Mayor Glanville would not apologise until the Citizen had handed over a list of 51 Trello boards. The council disputes this and the sentence has now been removed.

Total
0
Shares
Share 0
Tweet 0
Pin it 0
Share 0