Hackney London Borough Council has dismissed a finding that it had breached data protection law before records were lost in a cyber attack.
The Information Commissioner’s Office (ICO) has issued the council with a reprimand after hackers accessed and encrypted 440,000 files in 2020.
The regulator said its investigation revealed a lack of proper security and processes to protect personal data at the council.
Hackers were able to access records with residents’ addresses, racial or ethnic origin, religious beliefs, sexual orientation, and health, economic and criminal offence data.
Some 9,605 records were also exfiltrated.
At least 280,000 residents were affected by the breach, and the council acknowledged that the attack ‘posed a meaningful risk of harm’ to 230 data subjects.
Deputy ICO commissioner Stephen Bonner said: ‘This was a clear and avoidable error from London Borough of Hackney – one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents.’
But the council maintained that it had not breached its security obligations.
A spokesperson said: ‘We consider that the ICO has misunderstood the facts and misapplied the law with respect to the issues in question, and has mischaracterised and exaggerated the risk to residents’ data.’
However, the authority said it was not in residents’ interests to use its resources to challenge the ICO’s decision.