back to article Attack on Oxford City Council exposes 21 years of election worker data

Oxford City Council says a cyberattack earlier this month resulted in 21 years of data being compromised. It said "some historic data on legacy systems" was accessed by unauthorized attackers, namely the personal information of people who worked on council-administered elections between 2001 and 2022. The majority of those …

  1. IGotOut Silver badge

    Rant...

    21 years? 21 fucking years?

    What's that about storing data for a reasonable and proportionate time?

    Still I'm just glad those that are affected are the ones that should be ensuring shit like this doesn't happen.

    1. Anonymous Coward
      Anonymous Coward

      Re: Rant...

      It depends what the information is. Records like '[name], HR record [reference number], oversaw this election' I could see a reasonable desire to store that indefinitely for posterity. If it has something like phone numbers or DOBs or identity or whatever else then it's unacceptable

      Even if it is for historical records there's no way it should be stored on something more readily accessible than Tape. We might even be reaching the point where hard copy storage is desirable as it allows physically-secured, hacker-proof records to be kept for a long time.

      1. Anonymous Coward
        Anonymous Coward

        Re: Rant...

        Physically-secured hard copy has other issues like "who disappeared this sheet of paper at some point in the last X years?", "is this sheet of paper the genuine record or has it been manipulated/substituted for the orginial?", at least if you reasonably assume that each sheet is not individually secured and monitored and more likely just in boxes in a secure-ish room.

    2. Jedit Silver badge
      Headmaster

      "What's that about storing data for a reasonable and proportionate time?"

      Councils are required to store all records for seven years. Other data may be retained for longer. And employment history with respect to elections is one of the most sensitive and important things to retain. There is an urgent need to know that the people counting the votes are absolutely reliable and honest.

      1. tmTM

        Re: "one of the most sensitive and important things to retain"

        So why's it being stored on a poorly secured legacy system?

        1. Yet Another Anonymous coward Silver badge

          Re: "one of the most sensitive and important things to retain"

          >So why's it being stored on a poorly secured legacy system

          Welcome t'council meeting. We're closing the children's center to pay Oracle $$$$$ to update that 20year old system that lists which volunteers counted the votes in the 2000 local election.

          All in favour ?

          1. John Brown (no body) Silver badge

            Re: "one of the most sensitive and important things to retain"

            While funny and absolutely something I could see happening in a local Council Chamber, the real question really ought to be "can we just print this shit out and store it in boxes in the basement since to doesn't ever need to be instantly accessible and definitely not on an insecure (by definition) "legacy" system still connected to t'internet. If ongoing costs are relevant, surely a one off print and put in cold storage is the cheapest and probably most secure option. I be happy to bet a few quid on the data retention legislation only stating the data must be retained, with neither the form of retention nor the convenience of access even being mentioned in it. Or even if access, sans the technology to access it in the future, being legislated for :-)

            1. Yet Another Anonymous coward Silver badge

              Re: "one of the most sensitive and important things to retain"

              Careful, if people find out that a lot of archive data can be simply printed out and put on a shelf and stored cheaply and securely - a lot of the IT industry is unnecessary

            2. Evil Scot Silver badge
              Coat

              Re: "one of the most sensitive and important things to retain"

              You are imbuing council members with common sense AND intelligence.

              My experience of having a council member as a Landlord documents this is not the case.

              Mine is the one with the free hold papers in it.

      2. andy gibson
        Joke

        Re: "What's that about storing data for a reasonable and proportionate time?"

        "There is an urgent need to know that the people counting the votes are absolutely reliable and honest"

        It's just a shame that the recipients of the votes aren't!

  2. heyrick Silver badge

    "there is no evidence to suggest that any of the accessed information has been shared with third parties"

    And they know this how?

    And why was this information being held for over twenty years? Twenty! That's back to the times of Tony Blair and Dubyah.

    1. Alfie Noakes

      "And they know this how?"

      Probably because if they don't actually LOOK for any evidence, they won't find any evidence!

      Standard modus operandi for councils, governments, police etc. :(

  3. Anonymous Coward
    Anonymous Coward

    I wonder if...

    Having worked in the sector (and anon as a result) I'm going to make a guess at the background to this, given the council referred to 'legacy' systems

    The system that manages both elections and the electoral register was to be upgraded or replaced some time around 2022 to 2024. The supplier said they'd transfer X number of years worth of historic data only into the new upgraded/new system and gave various excuses for not taking across the necessary historic data and/or quoted a stupidly high price to do so. The service responsible may or may not have understood the consequences of this and pushed back, but to no avail.

    As a result they (or more accurately their IT Service) have had to keep the legacy system up & available so access to the historic data is maintained. It'll be running on an old version of Windows Server and probably an equally old version of SQL server, both of which are long out of support.

    From bitter experience I know how often data migration and the handling of historic data (whether there's a legal requirement to keep it or not) is badly handled in this type of project. Yes, there are ways to handle it; no, suppliers (especially those in the public sector) are rarely interested or willing to help with that task.

    1. spireite

      Re: I wonder if...

      Wouldn't put it past them to have it stored in DBase frankly, with a VB6 UI.

      1. Gene Cash Silver badge

        Re: I wonder if...

        Jeez, please don't swear that much on a public forum!

    2. DJV Silver badge

      Re: I wonder if...

      Either that or a random MS Access database that just had to stay running as it was underpinning a whole bunch of other random stuff!

      1. Evil Scot Silver badge

        Re: I wonder if...

        Oh come on...

        We all now government departments run on Excel Databases

  4. J.G.Harston Silver badge

    Why the hell are streetlights centrally controlled? Surely (oh dear, yes I know....) all you need is a light sensor on the top of the lamp standard controlling that individual lamp standard.

    1. Zimmer
      Holmes

      Ah, yes individual sensors on the top of the lamp.. you do realise that the pigeons like sitting (I may have spelled that incorrectly) on top of lamp standards.. and an awful lot of individual sensors to maintain..

    2. IGotOut Silver badge

      Because, this may suprise city folk, but we don't live in stabby stabby town, the lights often go off after say 1am.

      1. Gene Cash Silver badge

        Ah, so you come home late from work, and instead of a nice safe brightly lit path, you have to walk in the dark.

        Gotcha. That's ever *so* *much* better. Been there, done that, didn't have a flashlight.

      2. Handlebars

        Oxford has gotten quite stabby over the years. Sometimes in daylight.

    3. Ken Moorhouse Silver badge

      Re: Why the hell are streetlights centrally controlled?

      Because when Reform get in this functionality will be needed for the Curfew.

  5. Winkypop Silver badge
    Alert

    “there is no evidence to suggest that any of the information has been shared with third parties”

    The weasel-word spin doctors have entered the chat!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like