back to article Thousands of taxpayers' personal details potentially exposed online through councils' debt-chasing texts

Bulk SMS messages sent by local councils across the UK contained weblinks leading to pages that freely exposed to the public thousands of taxpayers' names, addresses, and outstanding debts, The Register can reveal. Text messages sent by Telsolutions Ltd on behalf of a dozen local authorities contained shortlinks to webpages …

  1. Anonymous Coward
    Anonymous Coward

    Please click the link to read

    SMSes prompting the person to click a link to a little-known third-party link shortener! Surely only good things could come from encouraging such behaviour!

    1. Anonymous Coward
      Anonymous Coward

      Re: Please click the link to read

      Happens all the time, management approve "solutions" which encourage poor security behaviour because it's convenient and cheap for them at the time with zero consideration over whether it's right.

      The same management will then argue why we need to focus resources on training and raising awareness with staff over fraud etc.

      1. Peter Gathercole Silver badge

        Re: Please click the link to read

        I had a dialogue with my water company recently about exactly this.

        They sent me a text saying that due to work on the mains, the water from our taps may be disculoured, and provided a short link to a explanatory web page.

        When I pointed out to them that there was no way that a recipient could confirm where the text had come from, and that the short link could also not be verified without actually visiting the page, and the page pointed to could be bogus and run by scammers or malware deliverers, they just said that it was common industry practice, and they used a reputable link-shortening service (if there is such a thing).

        I referred them back to whatever passes as their cyber security department so they could be educated about the dangers of clicking on uncheckable links, and what the results could be. Funnily enough, I did not get a response from them after this.

        1. FlamingDeath Silver badge

          Re: Please click the link to read

          Wait, you think they have a infosec department?


          If they do, it'll be a branch of GCHQ, and they're just there to clear up the mess

          Who do you think cleans up the ransomware attacks for these muppets....

          1. nowster

            Re: Please click the link to read

            With a different sort of meaning of Water Board, perhaps?

        2. Diogenes8080

          An honourable shortener

          The case for URL shortening services in an era when a URL can be conveniently represented by a short hyperlinked word is indeed marginal. SMS is regrettably one case where it is justifiable, though the [redacted] responsible for the site mentioned in the article could have done better even so. I would be curious to know if misrepresentations were made to the councils in question, or whether IT project staff on the ground failed to read the small print or possibly even the large print written in friendly crayon colours. Capita, as always, remain the clerical omelette.

          To judge the worth of a shortening service, see if it offers a convenient reverse service whereby the recipient can input a link and see what it would expand to.

          1. Ken Moorhouse Silver badge

            Re: see if it offers a convenient reverse service

            To educate users of the pitfalls of link-shorteners, I would argue for clicking on the shortened link to open a "mapping" page, showing the target link with "I wish to open this link"/"Get me outta here" buttons, the latter being the default. Ok it interferes with the "user experience", but which would you prefer: a rollercoaster with or without the safety considerations?

            Browsers should also provide this functionality automatically, but that is a longer-term goal. I know some shorteners offer this, but the default behaviour is set to "trust".

            1. Michael Wojcik Silver badge

              Re: see if it offers a convenient reverse service

              QR codes are just as bad. For a while I had a web page which just said something along the lines of "if I weren't ethical, you'd be pwnd now", and I'd stick the QR-encoded URL for it in the security presentations I gave internally, just to see who'd bite. But it's like trying to ice-skate uphill.

              At least these days a lot of phones will display the decoded URL from a QR code and ask you before following it. Still a stupid technology, though.

              1. Ken Moorhouse Silver badge

                Re: QR codes are just as bad

                In some cases, worse.

                If a QR code is supplied as part of a contract, the customer needs to have control of where that QR code points to. Might sound like STBO, but I have encountered situations where this is not the case, the supplier wanting to exploit the ability to change the target in the future.

                Ok, I agree this can happen with shorteners too, but QR codes are arguably seen as a fixed part of a design, rather than text that can simply be changed, particularly where a logo has been cleverly embedded in the visual appearance of the QR code. Those into the "creativity" aspects of a product might not take on-board what goes on "under the bonnet".

        3. Alan Brown Silver badge

          Re: Please click the link to read

          > Funnily enough, I did not get a response from them after this.

          You got put in the *plonk* box as a nutter

          Now write something explaining the risks in plain english, give it to a journalist and get THEM to ask the question

          Alternatively wait 6 weeks and FOI/SDR them on the handling of the exchange, such that they have to explain in detail what they did next

        4. Ken Moorhouse Silver badge

          Re: I had a dialogue with my water company...

          They arrogantly believe they know everything there is to know about leaks.

          1. Jim Whitaker

            Re: I had a dialogue with my water company...

            Maybe but they are not good at fixing them, are they. See Thames Water for one.

        5. Michael Wojcik Silver badge

          Re: Please click the link to read

          It's a straightforward externality. There's no cost to the organization for using these dangerous mechanisms, and using something better would be an additional cost -- at least the cost of changing an existing system or provider.

          This situation won't improve until the externality is converted to a direct cost. The only (non-violent) mechanisms for doing that are market forces and regulation. Market forces often don't apply (how many water boards can you choose from?), and have generally failed where the do (because not enough customers care about this sort of thing, and often there's no better choice anyway). So until we regulate against this sort of practice it will continue.

          In the case described in the article, it sounds like there ought to be some stiff GDPR fines being handed out. But I'm not holding my breath.

          1. Arthur Daily

            Re: Please click the link to read

            Add deceptive conduct.

            Each of the councils had a suspiciously cloned response, as if the vendor value added, and said hey, if the nosey press calls, read them this pre-canned guff. If an approved suppler did this 'L plate' deep link mistake, they should be scrubbed off the vendor list. +1 for GDPR fines.

        6. Peter Gathercole Silver badge

          Re: Please click the link to read

          What a surprise. I got another text from them the other day, effectively saying the same thing, but lookie lookie. A full URL, not a shortened link.

          Amazing. Thank you for listening Wessex Water.

          Sometimes it actually seems worth raising these things.

      2. Martin M


        I like to reply with "Thank you for your shortlink, but local security policies forbid me from opening them. Please enter the full link at<code>, otherwise I will be unable to read your message."

        Target of the shortened URL can be varied depending on situation and level of annoyance...

    2. MortimerTheCat

      Re: Please click the link to read

      I came to the comments to make the same point. I teach people never to click on a link; there are too many phishing messages going around to take a risk. But then you get genuine messages like this one, with an unrecognisable domain undermining my security lessons!

      1. Anonymous Coward
        Anonymous Coward

        Re: Please click the link to read

        Yammer, Teams, Outlook; 365 produces screeds of alert emails which have more triggers than real phishing emails. And there is little MS lets you do to change the configuration or stop them.

        How are we supposed to train staff to spot phish when real emails appear less trustworthy?

      2. Doctor Syntax Silver badge

        Re: Please click the link to read

        It gets worse. replies to reports with a number of links, mostly to various NCSC sites but also including Action Fraud and usually buried well down the bottom of the reply - too far down to even see without scrolling on my browser. But earlier this month they started including a prominently placed link to a 3rd party survey. Really?

        I'd like to think it was really to some site designed to discourage clicking on stray links but more likely they actually thought a 3rd party to a survey didn't look at all suspicious.

    3. JimboSmith Silver badge

      Re: Please click the link to read

      My last security training module at work had warnings about exactly this. We were told to watch out for links sent by email, WhatsApp, SMS etc. from people/companies we didn't know. Weirdly I received a dubious SMS (on a number neither work nor Amazon have) a couple of minutes after finishing the module. I declined to click the link despite their being an "issue" with my order.

    4. This post has been deleted by its author

  2. Doctor Syntax Silver badge

    "We take security and all matters of data protection extremely seriously. After identifying a potential vulnerability with one of our systems,"

    Identifying such a noob vulnerability after the event once it's been pointed out and then describing it as "potential" says a great deal about what they mean by "extremely".

    1. Dan 55 Silver badge

      Meanwhile Coventry City Council and Crapita pushed the boat out and restated what the Register told them. Genius.

  3. Mike 137 Silver badge

    Taking it very seriously

    Taking idiotic lack of security very seriously always happens after the fact, not before.

    There is actually a statutory duty under the GDPR (to which the UK is still subject via the DPA 2018) to verify that subcontractors have adequate technical and procedural measures in place to protect personal data.

    The biggest problem is that effectively no organisation really gives two hoots about personal privacy, so they don't bother to fulfil this duty (or any other duty under the legislation). A second problem is that unless a large number of data subjects are directly and seriously affected it's very hard to make any obligation to improve stick, as only the given instance gains attention, not the fundamentally defective sense of responsibility.

    1. TimMaher Silver badge

      Re: Taking it very seriously

      Yeah but, dont forget that Crapita was involved.

    2. a_yank_lurker

      Re: Taking it very seriously

      Unfortunately it would probably take about dozen public executions of C-suite or equivalent failures to get people's attention. Then they might take it seriously as their hide is on the line.

    3. Michael Wojcik Silver badge

      Re: Taking it very seriously

      Oh, I know of a number of organizations that take GDPR and other privacy legislation quite seriously, because now there are direct costs associated with violations.

      But it's true that many do not. And if the sanctions regimes for these laws -- that is, significant fines against offending organizations -- are not enforced, soon no one will bother.

  4. Doctor Syntax Silver badge

    How many of these councils have reported themselves to the ICO? And have Telesolutions who take all matters of data protection extremely seriously done so?

    1. Halfmad

      Assuming they know of the breach most will.

      Public sector "has the most breaches" because they are by far (especially Healthcare) far more likely to self-report.

      1. IGotOut Silver badge

        Yup, as there are no consequences for them.

        Oh dear, we've been fined £50million. Oh well we'll just cut some services, increase parking fines and costs, slap a few hundred quid on the council tax and close a library.

        No biggie.

        1. Doctor Syntax Silver badge

          The most effective way of dealing with public bodies would be to ensure that it ended up as an adverse marking on the annual reports of those responsible. Even better if it could be arranged to show up for several years running.

          1. Anonymous Coward
            Anonymous Coward

            That's not actually true, ok paying a fine isn't hitting anyone's profit in the public sector but management live in abject terror of the the ICO.

            Not enough terror to get them to push down to managers that they need to do their due dilligence properly but quite a bit.

            Being on the other side of this, getting large suppliers like Crapita to respond truthfully and openly about any compliance requirements is like trying to make a rock talk. You get ignored, passed around, lied to, deliberately misunderstood, accused of making unreasonable demands, no ones else is bothered why are you!

            Middle managers are under pressure to meet tax collection targets, they are not being measured against their GDPR compliance. So if you only have so much time and resource you're going to spend it doing what you are measured on. And so they sign up to crap like this to get on with it.

            1. Mike 137 Silver badge

              Rather like the Spanish Inquisition?

              "not being measured against their GDPR compliance"

              Nobody seems to be measured against their GDPR compliance. A piece of research we conducted from Autumn 2018 to January 2021 did not find a single organisation fully compliant with the (very simple) transparency obligation. This strongly suggests that the more complicated aspects of compliance are being ignored as well - by, effectively, everyone. My consulting experience also bears this out, and not just in the public sector.

        2. Jim Whitaker

          Public Sector reporting

          True in bits but you try being the Information Governance Manager who has to tell Senior Members of the Board that a potentially adverse report has to be made to the ICO. Their concern for the damage to reputation is real and substantial. (Ask me how I know. :-) )

          1. Coastal cutie

            Re: Public Sector reporting

            A "Who Me?" story by any chance...….

  5. keith_w

    I am surprised the Reg wasn't threatened for 'hacking' peoples personal information!

  6. Pascal Monett Silver badge

    "We take security and all matters of data protection extremely seriously"

    That is why we sent out URLs to tens of thousands of people without ever checking that the procedure was secure.

    Once the horse had bolted though, we very seriously closed the barn doors.

    Hint : stop giving us bullshit about how seriously you take data security when it is absolutely clear that you did not.

  7. Jonathan Richards 1

    I am mildly encouraged... the observation that "[T]he majority of links sent [were] not being accessed at all". This tells me that (i) most people dunned by SMS are already well aware that their Council Tax is in arrears, thank you, and (ii) that just maybe people are learning that clicking on the link in response to strident instruction is dangerous.

    1. IGotOut Silver badge

      Re: I am mildly encouraged...

      Or the phone numbers were incorrect.

  8. Chris G

    Seriously, we take your data

    Then we let anyone have access to it because training is hard and expensive to implement properly for our staff.

    I have been to in house training sessions at councils where everyone knows everyone, is given a pamphlet or a printout and then have a nice chat for a bit before going back to work tem minutes before knocking off time.

    That's how seriously a lot of things are taken.

  9. AndyFl

    Proper redaction

    Looks like ElReg should get good marks for properly redacting the images in this article rather than just publishing something containing an additional layer with black rectangles. I have to deduct a couple of points for the horrible webp file format :)

    The only really secure method of redaction is to mark up the page, print it then take an image of the printout. This guarantees no metadata which might leak sensitive data.

  10. Justin Case

    Seriously indifferent

    What does taking seriously mean in these cases?

    I picture a room full of dour faced bureaucrats proclaiming with sombre earnestness, unleavened by any scintilla of self awareness, that their devotion to the sanctity and protection of personal data is untainted with any degree of levity or inappropriate jocular disregard. When really they mean they don't give a shit, never have and never will. Except of course when it comes to the actions of others.

    1. SuperGeek

      Re: Seriously indifferent

      "When really they mean they don't give a shit, never have and never will. Except of course when it comes to the actions of others."

      No, except of course when it comes to the aftermath of being fined. They then realise how serious it was.

  11. Aristotles slow and dimwitted horse


    "We take security and all matters of data protection extremely seriously"

    But obviously not seriously enough to check all of this before actually sending with real world personal data?

    1. Jimmy2Cows Silver badge

      Re: Muppet.

      "We take security and all matters of data protection extremely seriously but thought we'd get away with it since we don't give a toss about security of debtor details. Now we've been found out and someone has complained, we're seriously taking it seriously. Seriously. Look how serious we're being!"

  12. Blofeld's Cat

    Hmm ...

    "... a contract for collecting taxes ..."

    I believe contracting out tax collection was also tried in France in the late eighteenth century. It didn't work out terribly well for the people in charge at the time.

    It's the one with red Phrygian cap ...

  13. Anonymous Coward
    Anonymous Coward

    Me, I'm enjoying "innocently created by individuals who fail". Seems a description applicable to so many situations.

  14. DMcDonnell

    Public records

    The UK is such a strange place.

    Here in the USA property records and their attendant

    tax bills are considered public records for anyone to see.

    1. GlenP Silver badge

      Re: Public records

      The tax bands and hence amount payable is public record here in the UK.

      What isn't, and shouldn't, be of public record is that an account is in arrears and by how much (at least until the person is taken to court).

  15. FlamingDeath Silver badge

    FUCKING COUNCILS!!!!111!!!111oNE

    Why do we pay councils to then pay other companies to do the thing we paid them to do.

    Why don't we just stop paying the council, pool together and just do it our fucking selves

    Or would we likely get sent to prison for trying to seek some sanity?

    I have yet to see a positive news story about a council, any where.....Do they exist?

  16. Doctor Syntax Silver badge

    On reflection I think this comment I made the other day applies here:

    It raises the usual questions about top management:

    Do they believe what they say?

    Do they believe we'll believe what they say?

    Do they think we won't care even when we don't believe what they say?

    Do they care whether we care when we don't believe what they say?

    None of the alternatives show them up in a good light but I've never been able to determine which is the case given that the only external evidence is that they keep spouting bollocks that only an idiot would believe.

    On further reflection I've realised that quotes like this aren't directed at anyone who knows the difference between a shift key, a shift lock key and a control. They're aimed at the execs of the councils involved and any stray councillors who take an interest, the sorts of people who'd be equally likely to spout such bollocks. To adapt the BBC's motto "Management shall spout bollocks unto management".

  17. Anonymous South African Coward Bronze badge

    Any Saffers on here remember the time when the City of Johannesburg had the same issue with their billing website? Change the URL slightly, and you get the billing details of somebody else.

    IIRC somebody downloaded a ton of bills by running a special program before the CoJ put an end to it by pulling the Ethernet plug on the webserver :)

    Seems as if Chitty Councils are the same the world over, want to save a few pennies and end up with unhappy, pissed-off people.

    1. Alan Brown Silver badge

      " Change the URL slightly, and you get the billing details of somebody else."

      It was probably the same software

      1. Anonymous Coward

        > It was probably the same software

        It was probably Crapita as well. Although they might try to disguise themselves a bit by using the local name for the company: Crepita.

  18. Tron Silver badge

    They'll have to increase the council tax to pay the fines.

    Any texts I get from an unrecognised source are deleted unread.

    I get scam calls from Indian call centres on a daily basis, so I replace the handset on any automated call within seconds.

    A supposedly official-looking e-mail from someone I haven't contacted goes straight in the spam folder, which may encourage my webmail provider to block the sender's e-mail address across their system.

    So if they pivot to digital in this way, rather than sending a letter to my address, they would get FA of a response and their e-mail functionality may face headwinds.

    My bank have also started sending me e-mails. As e-mail is fundamentally insecure (and always has been), these go straight in the spam folder too. Banks should know better by now than to use e-mail.

    1. 0laf

      Re: They'll have to increase the council tax to pay the fines.

      Banks use email because it's cheap.

      Banks use SMS as a MFA toke not because it's secure (it's not any more due to sim swap fraud bringing the entire mobile phone industry into your attack surface), but because it's easy and cheap.

      And banks know what they should be doing, they hire people that know security good practice, they CHOOSE not to do it.

      Fines and compensation are just operating costs for them. Until the hit on their bottom line is significant they'll continue to make bad choices.

  19. Dave 15

    Stunningly simple solution

    Do away with council tax. Fund each council based on number of people*X + number of business *y from central government revenue.

    This cutes down paperwork, accountants, collection systems and costs. It cuts back to either expenditure or income related tax so taxing the rich more than the poor.

    It is more than time for a flat tax and flat benefit system, fair, simple and cheaper although it doesn't hide all those slight of hand tax increases we have had since Thatcher decided to kill employment by wiping out manufacturing and labour screwed up by buying American jets instead of making our own

    1. Anonymous Coward
      Anonymous Coward

      Re: Stunningly simple solution

      > Fund each council based on number of people*X

      I think you'll find that's called a poll tax. It didn't work very well last time. And it certainly doesn't cut down collection costs.

      Unless you mean fund the Councils out of general taxation and put up VAT or income tax instead? That would mean a "one size fits all" service across the whole of the country - because it would be the same amount of money per person (perhaps age adjusted) and a Labour Council couldn't decide to spend more than a Tory one. So you might as well abolish the Councils as well and have a single large corporation - like Capita - run everything across the country. After all - if the funding is the same and the service is the same then economy of scale dictates central provision.

      Good luck getting the pothole in your street fixed.

    2. Brewster's Angle Grinder Silver badge

      Assuming all human beings are spherical and of equal volume

      "It is more than time for a flat tax and flat benefit system, fair, simple and cheaper..."

      Simple? Undoubtedly. Cheaper? Have you met Capita? Fair? Only if you adopt the most infantile definition of "fair".

      This is especially clear in the benefit system. You either pay out an extortionate sum that guarantees anyone can meet their needs. Or some people's needs aren't met without top ups. Human beings are complicated and end up with tangled lives, and it makes sense to pay based on need - with the aim being everyone has a decent minimum standard of living. You don't even have to look down at the individuals; housing costs aren't consistent across the country so want to pay the housing component of the benefit based on local prices.

      The argument is a bit more nuanced for the tax system. But clearly, there's no point taking money off low paid people just to give it back to them with benefits. So straight away we have to have an exception. And if you want tax to raise revenue, then the rates end up ruinously high or the rich have to pay higher rates. (There's a discussion to be had about the purposes of taxes, here. But if you beleived in MMR, you wouldn't be arguing for flat taxes - because taxes are there to damp down inflation and the rich are the people who you want to take it off.)

      And all that's before we start using the tax system to discourage bad behaviour (sin taxes) and encourage good behaviour.

      1. Cliffwilliams44 Silver badge

        Re: Assuming all human beings are spherical and of equal volume

        The tax system should not be used to encourage or discourage behavior, that is what laws are for.

        The government should not be in the business of setting a "minimum standard of living"! All that does is encourage bad behavior. Government help should be extremely limited and short term. It should be based upon individuals who find themselves in situation "through no fault of their own" i.e. The wife and Children abandoned by the husband (said husband should be tracked down and prosecuted). This should be temporary and should require some form of work program to offset the cost.

        For the most part in Western societies the poor are poor not because of societal problems but because of their own behavior either early in life or continual through out their live. Drugs, alcohol, gambling, foolish spending, bad work habits, failure to get a good education, all these things and more leads to poverty when we take away the pain pf poverty we take away the motivation to improve ones self. In the US poverty is easy! We have FAT poor people in this country. Since 1963 we have generations of people on Public Assistance.

        And then there are minimum wage laws which makes jobs illegal! You have a job worth $10/hr to you and there is someone who will take that job? Sorry you can't hire him! All this does is make things more expensive for the people who can least afford it!

    3. Cliffwilliams44 Silver badge

      Re: Stunningly simple solution

      Consumption taxes fix all of this. No collection efforts needed, no one avoids the tax with complex loopholes. Heck, even the criminals end up paying the tax!

      And no it is not regressive! If poor people can spend $150 on lottery tickets in 1 shot then they can pay a 10% levy on the things they buy! (sans food of course)

  20. MrNigel

    SMS for the few

    This is what happens when an engineering tool goes mainstream.....

  21. Zenco

    Private individuals get picked on and bullied by arrogant incompetent faceless bureaucracy. Would it be too much to ask that all officials are named and held personally responsible for every action they take, with systems designed so that there is no wriggle room. They want all the perks and the kudos, but never the comeback. If a lowly functionary screws up, their immediate superior should take the flak, and the person above him likewise, all the way to the top, they are just the hired help after all. Zen.

  22. Frank Fisher

    |"lessons will be learned"

    But no one will be punished. Working in local government means you are totally immune from all consequences of incompetence or criminality.

  23. ISYS

    Tax Payers?

    If they are debt chasing texts then the recipient is not a TaxPayer surely ;-)

  24. Dinosaurus_Techs

    Wow, what a coincidence that they all said almost the exact same thing, it's almost as if they have a common set of approved excuses that they know will make them sounds as if they care when all they are doing is hoping to kick it down the road until everyone is looking somewhere else.

    The public sector - the place where accountability and responsibility goes to die ..........

  25. flayman Bronze badge

    Could be prosecuted in USA for doing what this reader did.

    In America, people have been convicted under the Computer Fraud and Abuse Act for doing just what this reader did by modifying a URL to gain access to data through a sequential id.

  26. SuperPurpleron

    We told them 3 years ago!

    We made Tel-Solutions aware of this back in December 2018. Nice to see they didn't change their behaviour and continued to provide insecure solutions to Councils. Of course the responsibility is the Council's but still, they compounded and encouraged this.

    1. John Brown (no body) Silver badge

      Re: We told them 3 years ago!

      Have you informed the ICO along with the evidence that they've had 3 years to deal with the issue? That should help increase the fines.

  27. Cliffwilliams44 Silver badge

    Obviously these people have no idea how to collect money.

    137 pounds? Not worth suing for. So they opted for the cheapest method. Not understanding that...

    SMS message? ignored

    Email? ignored

    Scary letter that looks like it is coming from some lawyer? That might get some folks attention

    Obviously the cost of the Post was just too much to spend.

    Technology is not always the best answer. In the area of collections, a letter followed by a phone call is 1000 times more effective.

  28. Missing Semicolon Silver badge


    A spokesman confirmed that the council had carried out a Data Protection Impact Assessment before using Telsolutions.

    So how did they do that? Since evidently no actual assessment was made. Does that mean that the company performing the assessment is liable?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like