Gloucester City Council is today considering an appeal after being fined £100,000 over a "serious" cyberattack that gained access to financial and sensitive information about its employees.

The Information Commissioner's Office (ICO) imposed the penalty following an investigation into how a hacker exploited the 'Heartbleed' software flaw to access council employees' sensitive personal information.

The attacker took advantage of a weakness in the council's website in July 2014, which led to more than 30,000 emails being downloaded from council mailboxes.

In response to the fine, Gloucester City Council managing director Jon McGinty said: "The council is very disappointed with this decision by the Information Commissioner, and is considering its position whether to appeal.

"The council takes the security of its data very seriously and remains of the view that it did take swift and reasonable steps in 2014 to prevent a data breach as soon as it was alerted to the existence of this hacking vulnerability and the availability of a security patch.

"The Heartbleed vulnerability was a threat to businesses for some time before a patch was issued by software providers.

"There is insufficient evidence to show that the hacking event took place after the council became aware of the existence of the potential vulnerability.

"The council believes that the penalty issued by the ICO will have a serious and detrimental impact on its finances, and the services that we will be able to provide to the residents of Gloucester in the future.

"The council has invested more than £1million over the past three years to further improve its IT security and remains vigilant to the threats that all businesses face on a daily basis.

"The council did account for the risk of this potential fine in its accounts for 2016-17 but nevertheless its payment will only result in money being taken away from the people of Gloucester and given to Treasury."

An ICO investigation found that the council did not have sufficient processes in place to ensure its systems had been updated while changes to suppliers were made.

The attacker contacted them claiming to be part of Anonymous, a group known for attacks on websites.

ICO group enforcement manager Sally Anne Poole said: "This was a serious oversight on the part of Gloucester City Council.

"The attack happened when the organisation was outsourcing their IT systems.

"A lack of oversight of this outsourcing, along with inadequate security measures on sensitive emails, left them vulnerable to an attack.

"The council should have known that in the wrong hands, this type of sensitive information could cause substantial distress to staff.

"Businesses and organisations must understand they need to do everything they can to keep people's personal information safe and that includes being extra vigilant during periods of change or uncertainty."

What do you think? Email mark@moosemarketingandpr.co.uk