South Gloucestershire Council inadvertently exposed the sensitive personal data of 625 residents online for three days. The breach involved names, addresses, phone numbers, and email addresses of individuals who had participated in a Local Plan consultation on 24 October. The data, which should have been deleted from a worksheet before publication, was mistakenly left accessible on the council’s consultation website. Upon discovery, the council took immediate action to remove the information and reported the incident to the Information Commissioner’s Office (ICO). An initial assessment classified the risk to affected individuals as 'low,' though the council emphasized its commitment to data protection by reviewing internal protocols and pledging to implement ICO guidance to prevent future occurrences. The breach was attributed to human error in failing to redact the personal details prior to publishing the document.
Source: https://ca.news.yahoo.com/hundreds-residents-details-shared-data-112916717.html
TPRM report: https://www.rankiteo.com/company/south-gloucestershire-council
"id": "sou5733057110425",
"linkid": "south-gloucestershire-council",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '625',
'industry': 'Public Administration',
'location': 'South Gloucestershire, UK',
'name': 'South Gloucestershire Council',
'type': 'Local Government'}],
'customer_advisories': 'Public apology issued; no direct notification details '
'provided.',
'data_breach': {'data_exfiltration': 'No (Data Published Publicly by Mistake)',
'file_types_exposed': ['Worksheet/Document'],
'number_of_records_exposed': '625',
'personally_identifiable_information': ['Names',
'Addresses',
'Phone Numbers',
'Email Addresses'],
'sensitivity_of_data': 'Moderate (Contact Details)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'description': "A council chief has apologised after hundreds of residents' "
'sensitive data was mistakenly shared online. Some names, '
'addresses, phone numbers, and email addresses of 625 people '
"who responded to South Gloucestershire Council's consultation "
'on 24 October were published online for three days. The error '
'occurred when documents containing personal data were not '
'deleted from a worksheet before publication. The council took '
'prompt action to remove the data and report the breach to the '
"Information Commissioner's Office (ICO). An initial "
"assessment indicated a 'low risk' to those affected.",
'impact': {'brand_reputation_impact': 'Moderate (Public Apology Issued)',
'data_compromised': ['Names',
'Addresses',
'Phone Numbers',
'Email Addresses'],
'identity_theft_risk': "Low (Per Council's Initial Assessment)",
'legal_liabilities': 'Potential (Reported to ICO, Assessment '
'Ongoing)',
'systems_affected': ['Consultation Website']},
'investigation_status': 'Ongoing (Initial Assessment Completed, Awaiting ICO '
'Guidance)',
'lessons_learned': 'Importance of rigorous data redaction procedures before '
'publishing documents online. Need for automated checks or '
'secondary reviews to prevent human error in handling '
'sensitive data.',
'post_incident_analysis': {'corrective_actions': ['Review and Update Data '
'Protection Protocols',
'Follow ICO Recommendations',
'Implement Measures to '
'Prevent Recurrence'],
'root_causes': ['Human Error (Failure to Delete '
'PII from Worksheet)',
'Inadequate Pre-Publication Review '
'Process']},
'recommendations': ['Implement automated redaction tools for documents '
'containing PII before publication.',
'Enhance staff training on data protection policies and '
'procedures.',
'Conduct regular audits of public-facing documents to '
'ensure compliance with GDPR.',
"Adopt a 'privacy by design' approach in consultation "
'processes to minimize data exposure risks.'],
'references': [{'source': 'BBC News'}],
'regulatory_compliance': {'regulations_violated': ['UK GDPR (Potential '
'Violation)'],
'regulatory_notifications': ['Reported to '
'Information '
"Commissioner's Office "
'(ICO)']},
'response': {'communication_strategy': ['Public Apology by Council Chief',
'Statement to Media'],
'containment_measures': ['Data Removed from Consultation '
'Website'],
'incident_response_plan_activated': 'Yes (Followed Data '
'Protection Incident Policy)',
'remediation_measures': ['Review of Data Protection Protocols',
'Follow ICO Guidance']},
'stakeholder_advisories': 'Council has communicated with affected individuals '
'(implied by public statements and ICO reporting).',
'title': 'South Gloucestershire Council Data Breach: Sensitive Resident Data '
'Mistakenly Published Online',
'type': 'Data Breach (Unintentional Disclosure)',
'vulnerability_exploited': 'Human Error (Failure to Redact Sensitive Data)'}