15-05-2025
Perth and Kinross Council monitoring its IT systems around the clock
A Perth and Kinross councillor questioned how secure digital systems were after major cyber attacks to other organisations
Following several recent high-profile cyber attacks, councillors have been assured Perth and Kinross Council's Information Technology (IT) systems are monitored non-stop.
M&S, The Co-op and Harrods have all been recent victims of attacks and both West Lothian Council and Edinburgh City Council also appear to have been targeted last week.
And PKC itself has been subject to security and data breaches in the past.
At a meeting of Perth and Kinross Council (PKC) on Wednesday, May 8, Blairgowrie and Glens councillor Bob Brawn sought assurance PKC's digital systems were adequately protected.
At last Wednesday's meeting, the Conservative councillor pointed to the increased move towards digital technology and Artificial Intelligence (AI). He referenced the suspected ransomware cyber-attack on West Lothian Council, which hit the headlines the previous day.
Cllr Brawn asked: "As we're evolving more and more into a digital age, are we protecting our systems as we evolve?"
PKC's strategic lead for Customer and Digital Services Alan Taylor assured councillors, the local authority's IT staff worked on a "security-first principle" and were "incredibly proactive".
Mr Taylor said: "Yes, we do everything we can.
"Our IT staff operate to a security-first principle and we are obviously incredibly proactive. In terms of what happened to the retail sector recently, we circulated an advisory note around all of our IT staff.
"We were aware of what happened at West Lothian. I saw one of my colleagues going into Carpenter House at 7am just to ensure there were no issues with ourselves in Perth and Kinross.
"We have 24/7 monitoring. We were one of the first councils to do that, with a security operations centre and our IT management team meet regularly with our security IT staff."
PKC's strategic lead and monitoring officer for Legal and Governance Lisa Simpson added: "Just to give some assurance, the Information Governance and Data Protection and Information Security team that work under mine, work very closely with Alan and we are involved in all of the digitally-related projects particularly AI. AI governance is an integral part of that project's success."
In September 2024, PKC announced a security breach involving one user's email account and access to emails containing the bank account numbers and sort codes of some businesses, suppliers and customers.
At the time, a council spokesperson said: "The breach was identified and secured promptly, but eight emails were accessed. Some of these emails had attachments which may also have been accessed which contained bank account numbers and sort codes of some businesses, individual suppliers and commercial waste customers."
The council apologised for the incident and pledged to directly contact affected individuals "to inform them as soon as possible". The local authority urged everyone to be "cautious of any unusual emails claiming to be from Perth and Kinross Council" and check all council emails come from @ addresses.
In November 2024, PKC's Scrutiny and Performance Committee was told there had been a 77 per cent increase in data breaches, rising from 95 in 2022/23 to 168 in 2023/24.
The report, put before councillors, suggested both greater awareness of recognising data breaches and increased staff workloads across the council may have led to the significant rise in 2023/24.
However, there were 134 in 2021/22 and 146 in 2020/21 so the much lower figure of 95 in 2022/23 was also thought to be "anomalous"
In the 2023/24 financial year, there were 133 unauthorised disclosures, 33 were email errors, one was due to unauthorised access and one was loss of data.
Eight cases had to be reported to the Information Commissioner's Office (ICO) but the ICO was satisfied with the council's response to the breaches and no further action was required.
In the November 2024 report, PKC's data protection officer (DPO) Jillian Walker said: "Given the breadth of all local authorities' activities and the millions of transactions involving personal data that are processed each year, no local authority can state categorically that it is fully compliant with data protection legislation. It is the opinion of the DPO, however, that the council continues to achieve a reasonable and acceptable level of compliance."
