Newcastle Council admits to data breach

Newcastle City Council has confessed to exposing up to 54,000 credit and debit card details between February 2006 and April 2007. 

The data included card numbers, names and addresses. But the council insists that, after consulting issuing banks and the police, there is no evidence that the data has been fraudulently used.

The information was contained in a file of transaction details about payments to the council for business rates, council tax, rent and parking fines. The file was encrypted but uploaded to an insecure server.

Newcastle's security breach came to light last Thursday during an independent security review commissioned by the council.

The council claims that transaction data is no longer uploaded to the insecure server and has launched an internal investigation run by independent security experts.

The council does not know exactly how many records were compromised, but this will be uncovered in the investigation. The maximum is 54,000.

"We very much regret that this situation has developed, although we would stress that there has been no indication of any fraud or loss, and that we spotted this situation through the thoroughness of our own security and checking systems," said Newcastle council chief executive Ian Stratford.

UK companies are not obliged to reveal such security breaches. The California Security Breach Information Act, made law on 1 July 2003, compels Californian companies to inform all those affected by a breach, under the threat of heavy penalties for failing to comply.

Security analysts and freedom of information lobby groups are pressing for such legislation to be adopted federally in the US and, in some form, globally.