The largest local authority in Kent has been hit by multiple cyber attacks and forced to pay out thousands in compensation for data breaches.

Kent County Council’s vulnerability is revealed in a disclosure under Freedom of Information legislation.

KCC has been targeted by hackers 13 times in three years and suffered 2,452 instances of personal details being stolen or accessed without authorisation between 2021 and the end of February 28 2024.

The council has paid out more than £16,000 in compensation for an unspecified number of data breach claims.

The KCC breaches came to light when DataBreachClaims.org.uk (DBC) issued FoI requests.

DBC’s Eleanor Coleman, said: “We understand that this is worrying and hope that organisations are ensuring that they have sufficient security in place to protect people’s personal information.

“In terms of compensation, this is dependent upon what has happened, the information which has been subject to the data breach and the distress it has caused.

“A lot of cases can be settled without the need to issue court proceedings, but if this is necessary, then we would advise clients accordingly.”

DBC said councils capture and store individuals’ personal information or data in line with General Data Protection Regulation (GDPR) and the Data Protection Act (DPA).

The claims company said that, according to the Information Commissioner’s Office (ICO), cyber attacks on local authorities have gone up by 24% between 2022 and 2023.

It added personal data breaches reported by councils soared by 58% in the same time period.

Former senior military intelligence officer Philip Ingram MBE said the threat against local councils is ever-present but things can be done to mitigate against the growing threat.

One method is to be aware where council data is being stored and to avoid mass-produced security products from the Far East, particularly if their servers are in China, said Mr Ingram.

He added: “Another threat to any local council are the ten digits on your hands which can sometimes click on something by mistake. But that doesn’t mean there should be a culture of blame when people make a mistake - learn from it by education.”

KCC did not dispute the DBC figures but claims they were used “without context”.

A statement said “The ICO has not to date taken any formal action or levied any fines against KCC for any of the incidents that have been reported to them.

“In all cases, KCC has been able to demonstrate its processes and general mitigations in place and has been able to evidence the remedial actions taken to secure data and support affected data subjects for each individual incident.

“Our good practice data policy means we keep a log of all incidents, regardless of ICO classification and requirements, which are reflected in the numbers provided in the FOI response.

“Not all cases represent a significant breach of personal data and some are in relation to incidents recorded by other organisations but involving our data.

“Others are tagged as ‘near misses’, where data has technically gone to the wrong recipient but was a ‘trusted partner’, be that an internal recipient or an organisation we work with comparable professional data codes of conduct and policies as KCC, lowering the risk of further dissemination.

“This is reassuring as it demonstrates staff awareness, that any breach is taken seriously and there is a willingness to report incidents. Many organisations do not report ‘near misses’.

“KCC chooses to go further with its recording in order to demonstrate a responsibility for its data at all levels and inform our rolling staff training, which is mandatory.

“As an organisation, we are continually seeking ways to engage with staff to support them in managing data safely.”