IT staff at Hackney Council accidentally made a staggering cache of personal data on vulnerable residents available to anyone with an internet connection, a major investigation reveals today.
The astonishing privacy breach came when senior managers chose the wrong privacy settings on a free-to-use project management website – and was only fixed when we tipped off the council’s press team last week.
Our probe comes just six months after cybercriminals leaked a trove of confidential documents stolen in last October’s ransomware attack.
Mayor Philip Glanville vowed to take “additional action” that day to protect residents from further leaks.
But within a month, an IT worker had made public an unredacted spreadsheet that contained the names and addresses of women placed in temporary accommodation for their own safety.
Four weeks after that, a separate upload published contact details for council estate tenants who had requested repairs to boilers, buzzers, and broken doors.
Other documents mistakenly posted online included a screenshot showing a vulnerable tenant’s address and national insurance number, case notes from a welfare check on a “frail” resident, and minutes from a high-level housing meeting that revealed the council was losing £500,000 a month because the cyber attack knocked out its arrears collection service.
The blunders were not the work of inexperienced trainees, but often senior managers in the council’s IT team.
We decided to investigate the council’s data protection arrangements after discovering that it had inadvertently named a key witness in a gang-related stabbing by posting links to a poorly-redacted police report in the description of a YouTube video.
Within a week we had uncovered a network of 51 ‘Trello’ boards used by more than 220 council employees and contractors.
The site is popular with tech firms and small businesses, and allows teams to streamline workflows with lists of task ‘cards’ on each board.
When setting up a board, administrators are invited to pick from three privacy settings – ’private’, which makes boards invite-only, ‘workspace’, which limits access to members of their organisation, and ‘public’, which allows anyone on the internet to see.
The default privacy setting is ‘workspace’.
Single mum Lydia Afrakomah, 32, was placed in temporary hostel accommodation after she and her six-year-old daughter were made homeless in 2019.
The pair spent nearly a year living in a one-room flat with rat-infested stairways and no washing machine.
The building where they stayed is believed to house up to 100 vulnerable residents – including dozens of at-risk women and children.
A council source said that the exact location isn’t publicised for safeguarding reasons.
But Lydia’s name and address was made public in February when an IT worker uploaded a spreadsheet listing women and children in temporary accommodation. Several entries contained an exact hostel room number.
The unredacted Excel file could be downloaded and opened without entering a password – and was freely available through Google until we flagged the breach in late July.
Lydia told the Local Democracy Reporting Service (LDRS) : “I trusted the council to protect me. When I was made homeless I was at their mercy. I thought they would keep me and my daughter safe – but this feels like a betrayal."
She called the breach "reckless" and said she was "scared" to think what could have happened: “That place isn’t safe now, because those partners could find out where the council takes vulnerable women.”
Lydia finally left the hostel in March – and has gone on to find full-time employment as a qualified social worker.
Domestic violence campaigner Ngozi Fulani said "heads need to roll".
“Vulnerable women could have been killed because of this," she said. "They might still be killed because of it. Perpetrators stop at nothing."
The sheer number and severity of the breaches could see cash-strapped Hackney Council hit with a record-breaking fine from the Information Commissioner’s Office.
Neighbouring borough Newham was handed the current biggest fine for a local authority data breach back in April 2019 – when it was stung for £145,000 after accidentally emailing data on 203 suspected gang members to charities and social workers.
A spokesperson for Hackney Liberal Democrats said: “The major breaches uncovered by this LDRS investigation are simply shocking, and highlight just how incompetent Hackney Council is when it comes to protecting residents’ data."
They called on the council to contact and inform all residents impacted by the breaches and offer a personal apology. The spokesperson added that the party will be making the Information Commissioner’s Office (ICO) aware of the breaches.
Hackney MP Meg Hillier added: “The breach of data is a serious matter and I am pleased that the council has worked swiftly to tackle it.”
Hackney Mayor Philip Glanville dismissed the breach as “relatively small” as he apologised to residents – and stressed that an “extensive audit” by the IT team had closed the remaining boards.
The mayor said: “I want to apologise on behalf of Hackney Council to residents affected by this data breach, in which a relatively small number of cases of personal information were shared publicly in error.
“We corrected any public access issues as soon as we were made aware of them, and have carried out an exhaustive audit of all our Trello boards to ensure there are no more corrections that need to be made."
He said that the council has clear measures to protect data and will continue to remind staff of their responsibilities, adding: “When we fall short of the standards I, the council and residents rightly expect, that we will say so and take the necessary steps to put it right including contacting the ICO.
“This issue is completely unrelated to the cyberattack and not a reflection of our commitment to security or our recovery work.”
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here