In April alone, the council’s digital services department blocked more than 900,000 spam or phishing emails, many of which tried to “compromise” town hall information – an average of 20 every minute.
The report, set to be heard by the council audit committee tonight, also addressed October’s potentially disastrous data breach on its TicketViewer site for parking appeals.
As revealed in the Gazette, it emerged personal information about penalty charge notices was freely available. Details included scanned cheques, medical information to justify appeals – and even one person’s prison record.
It was a concerned citizen who raised the alarm. Tonight’s report reads: “If the failure had been exploited maliciously, the entire contents of the parking database could have been stolen by cyber criminals and/or placed irretrievably in the public domain.”
The council reported its own error to the Information Commissioners Office, prompting a review.
The report also described external threats to the authority: “Like all digitally enabled organisations, Islington Council is under constant attack.
“The threat is sustained and growing. Our attackers come in many forms from the archetypical teenage hacker in their bedroom through to crime syndicates and the proxies of nation states. The vast majority of these attacks are untargeted – those perpetrating them have nothing specific against Islington Council.
“A smaller number may be targeted at us.”
It adds: “Our attackers have many motivations, including financial gain, publicising their causes and malice whether they be specific to Islington Council, the wider public sector, the UK, or general western interests.”
Referring to incidents such as October’s leak, it added: “We also face the risk of unintentional vulnerabilities or accidental actions resulting in information security breaches.
“These can result in significant business disruption and reputational damage. If criminals become aware of them, they may exploit them further.
“Both malicious and accidental actions can cause information breaches.
“Both must be managed as security incidents.”