Gloucester City Council has been hit with a hefty £100,000 fine by the Information Commissioner's Office (ICO) for failing to secure its systems from the Heartbleed OpenSSL security flaw - and seeing its systems breached as a result.
The attacker, exploiting the Council's unpatched systems, managed to access its employees' sensitive personal information and to compromise more than 30,000 emails containing personal and financial information.
The ICO has come down especially hard on the Council because it explicitly warned organisations, both public sector and private sector, of the risks posed by Heartbleed and the importance of comprehensively patching accordingly.
The ICO claims that the Council failed to fix the vulnerability "in a timely manner" and that this resulted in a visit from "Anonymous" and the loss of data.
"This was a serious oversight on the part of Gloucester City Council. The attack happened when the organisation was outsourcing their IT systems. A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack," said Sally Anne Poole, group enforcement manager at the ICO.
"The ICO investigation found that the council did not have sufficient processes in place to ensure its systems had been updated while changes to suppliers were made.
The attacker contacted them claiming to be part of Anonymous, a loose collective behind a series of attacks on websites. The Council should have known that, in the wrong hands, this type of sensitive information could cause substantial distress to staff.
"Businesses and organisations must understand they need to do everything they can to keep people's personal information safe and that includes being extra vigilant during periods of change or uncertainty."
Security firms have moved on from warning people about Heartbleed - which ought to have been patched in 2014 - in favour of WannaCry, but at least one has some sympathy with the council.
"This is a very serious and overt omission indeed. However, I doubt it would be fair or reasonable to shift the blame to the city council. As with many other small cities, they must have blindly relied on a local IT supplier," said Ilia Kolochenko, CEO of web security firm, High-Tech Bridge.
"Negligence of the supplier is likely to be the proximate cause of the breach. The city should explore available legal avenues to claim damages and compensation from the supplier."
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago