Gloucester City Council has been hit with a hefty £100,000 fine by the Information Commissioner's Office (ICO) for failing to secure its systems from the Heartbleed OpenSSL security flaw - and seeing its systems breached as a result.
The attacker, exploiting the Council's unpatched systems, managed to access its employees' sensitive personal information and to compromise more than 30,000 emails containing personal and financial information.
The ICO has come down especially hard on the Council because it explicitly warned organisations, both public sector and private sector, of the risks posed by Heartbleed and the importance of comprehensively patching accordingly.
The ICO claims that the Council failed to fix the vulnerability "in a timely manner" and that this resulted in a visit from "Anonymous" and the loss of data.
"This was a serious oversight on the part of Gloucester City Council. The attack happened when the organisation was outsourcing their IT systems. A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack," said Sally Anne Poole, group enforcement manager at the ICO.
"The ICO investigation found that the council did not have sufficient processes in place to ensure its systems had been updated while changes to suppliers were made.
The attacker contacted them claiming to be part of Anonymous, a loose collective behind a series of attacks on websites. The Council should have known that, in the wrong hands, this type of sensitive information could cause substantial distress to staff.
"Businesses and organisations must understand they need to do everything they can to keep people's personal information safe and that includes being extra vigilant during periods of change or uncertainty."
Security firms have moved on from warning people about Heartbleed - which ought to have been patched in 2014 - in favour of WannaCry, but at least one has some sympathy with the council.
"This is a very serious and overt omission indeed. However, I doubt it would be fair or reasonable to shift the blame to the city council. As with many other small cities, they must have blindly relied on a local IT supplier," said Ilia Kolochenko, CEO of web security firm, High-Tech Bridge.
"Negligence of the supplier is likely to be the proximate cause of the breach. The city should explore available legal avenues to claim damages and compensation from the supplier."
Latest Tesla news: Tesla stock price tanks amid reports of 'widening probe' by SEC and claims the base Model 3 loses money
SEC 'probe' takes its toll on Tesla as new research suggests that Tesla loses $6,000 on every $35,000 Model 3
10nm Cannon Lake Core i3-8121U CPUs make a rare outing with Intel's NUC mini PC
'Notorious' Australian child hacker thought he had executed 'flawless' hack
The former employee says that Tesla fired him for bringing the accusations to management internally