'Heads need to roll', says domestic violence campaigner after 'reckless' council data blunder

Lydia Afrakomah and her daughter.

Lydia Afrakomah, 32, and her six-year-old daughter spent over a year in a Hackney Council hostel after being made homeless in 2019 – but her exact location was leaked online when an IT worker uploaded an unredacted spreadsheet to a public Trello board. - Credit: Lydia Afrakomah

IT staff at Hackney Council accidentally made a staggering cache of personal data on vulnerable residents available to anyone with an internet connection, a major investigation reveals today.

The astonishing privacy breach came when senior managers chose the wrong privacy settings on a free-to-use project management website – and was only fixed when we tipped off the council’s press team last week.

Our probe comes just six months after cybercriminals leaked a trove of confidential documents stolen in last October’s ransomware attack.

Mayor Philip Glanville vowed to take “additional action” that day to protect residents from further leaks.

But within a month, an IT worker had made public an unredacted spreadsheet that contained the names and addresses of women placed in temporary accommodation for their own safety.

Mayor of Hackney, Cllr Philip Glanville. Picture: Gary Manhine/Hackney Council

Hackney Mayor Philip Glanville apologised for the breach – but played it down as affecting “a small number of residents”. - Credit: Hackney Council

Four weeks after that, a separate upload published contact details for council estate tenants who had requested repairs to boilers, buzzers, and broken doors.

Other documents mistakenly posted online included a screenshot showing a vulnerable tenant’s address and national insurance number, case notes from a welfare check on a “frail” resident, and minutes from a high-level housing meeting that revealed the council was losing £500,000 a month because the cyber attack knocked out its arrears collection service.

Most Read

The blunders were not the work of inexperienced trainees, but often senior managers in the council’s IT team.

We decided to investigate the council’s data protection arrangements after discovering that it had inadvertently named a key witness in a gang-related stabbing by posting links to a poorly-redacted police report in the description of a YouTube video.

Within a week we had uncovered a network of 51 ‘Trello’ boards used by more than 220 council employees and contractors.

The site is popular with tech firms and small businesses, and allows teams to streamline workflows with lists of task ‘cards’ on each board.

When setting up a board, administrators are invited to pick from three privacy settings – ’private’, which makes boards invite-only, ‘workspace’, which limits access to members of their organisation, and ‘public’, which allows anyone on the internet to see.

The default privacy setting is ‘workspace’. 

The spreadsheet containing addresses for Lydia and other vulnerable council tenants.

The spreadsheet containing addresses for Lydia and other vulnerable council tenants was freely available on the internet for five months (artist’s impression – original sheet not shown for data protection reasons). - Credit: LDRS

Single mum Lydia Afrakomah, 32, was placed in temporary hostel accommodation after she and her six-year-old daughter were made homeless in 2019.

The pair spent nearly a year living in a one-room flat with rat-infested stairways and no washing machine.

The building where they stayed is believed to house up to 100 vulnerable residents – including dozens of at-risk women and children.

A council source said that the exact location isn’t publicised for safeguarding reasons.

But Lydia’s name and address was made public in February when an IT worker uploaded a spreadsheet listing women and children in temporary accommodation. Several entries contained an exact hostel room number.

The unredacted Excel file could be downloaded and opened without entering a password – and was freely available through Google until we flagged the breach in late July.

Lydia told the Local Democracy Reporting Service (LDRS) : “I trusted the council to protect me. When I was made homeless I was at their mercy. I thought they would keep me and my daughter safe – but this feels like a betrayal."

She called the breach "reckless" and said she was "scared" to think what could have happened: “That place isn’t safe now, because those partners could find out where the council takes vulnerable women.”

Another file made public by accident showed sensitive biographical information for a ‘vulnerable’ tenant.

Another file made public by accident showed sensitive biographical information for a ‘vulnerable’ tenant in the 20-storey Thaxted Court tower block. - Credit: LDRS

Lydia finally left the hostel in March – and has gone on to find full-time employment as a qualified social worker.

Domestic violence campaigner Ngozi Fulani said "heads need to roll". 

“Vulnerable women could have been killed because of this," she said. "They might still be killed because of it. Perpetrators stop at nothing."

The sheer number and severity of the breaches could see cash-strapped Hackney Council hit with a record-breaking fine from the Information Commissioner’s Office.

Neighbouring borough Newham was handed the current biggest fine for a local authority data breach back in April 2019 – when it was stung for £145,000 after accidentally emailing data on 203 suspected gang members to charities and social workers.

A spokesperson for Hackney Liberal Democrats said: “The major breaches uncovered by this LDRS investigation are simply shocking, and highlight just how incompetent Hackney Council is when it comes to protecting residents’ data."

A screenshot posted by a ‘service designer’ on a board set up to troubleshoot the council’s Covid-19 helpline.

A screenshot posted by a ‘service designer’ on a board set up to troubleshoot the council’s Covid-19 helpline revealed the name and partial address of a ‘frail’ man in Stamford Hill who had no friends, no family, and only a microwave to cook his food (artist’s impression, council redactions in black, Citizen redactions in red). - Credit: LDRS

They called on the council to contact and inform all residents impacted by the breaches and offer a personal apology. The spokesperson added that the party will be making the Information Commissioner’s Office (ICO) aware of the breaches. 

Hackney MP Meg Hillier added: “The breach of data is a serious matter and I am pleased that the council has worked swiftly to tackle it.”

Hackney Mayor Philip Glanville dismissed the breach as “relatively small” as he apologised to residents – and stressed that an “extensive audit” by the IT team had closed the remaining boards.

Screenshot from the Covid-19 helpline troubleshooting board Hackney Council Trello board.

Trello allows users to streamline workflows by creating ‘cards’ for each task (screenshot from the Covid-19 helpline troubleshooting board). - Credit: LDRS

Attempting to make a Trello board public triggers a warning.

Attempting to make a Trello board public triggers a warning that anyone on the internet will be able to see the contents. - Credit: LDRS

The mayor said: “I want to apologise on behalf of Hackney Council to residents affected by this data breach, in which a relatively small number of cases of personal information were shared publicly in error.

“We corrected any public access issues as soon as we were made aware of them, and have carried out an exhaustive audit of all our Trello boards to ensure there are no more corrections that need to be made."

He said that the council has clear measures to protect data and will continue to remind staff of their responsibilities, adding: “When we fall short of the standards I, the council and residents rightly expect, that we will say so and take the necessary steps to put it right including contacting the ICO.

“This issue is completely unrelated to the cyberattack and not a reflection of our commitment to security or our recovery work.”