Login IconLogin / Member Area / Consumer Helpline delivered by Citizens Advice 0808 223 1133

1 Sylvan Court Sylvan Way SS15 6TH Basildon, Essex, UK

Analysis: Under attack

Local authorities and other public organisations hold vast amounts of data which cyber criminals are keen to get hold of. How can they better protect themselves?

Richard Young, Editorial Lead Writer

Posted 23 June 2025 | JoTS Online

Content Tags:  Analysis|Uncategorised|National

Spreading the word about phishing emails, fake websites and AI-enabled scams is a crucial part of the preventative work undertaken by Trading Standards, especially within the context of ever-expanding industrial-scale global fraud. But while they are supporting the public and businesses, Trading Standards teams – and the local authorities within which they are embedded – are increasingly coming under attack themselves.

According to the Information Commissioner’s Office (ICO), the regulatory body which deals with data security in the UK, between 2019 and 2024, local authorities reported 5,822 ‘data incidents’. Of those, 468 were classified as cyber-attacks (the remainder include things like failure to redact sensitive information in documents, accidental loss of data, or failure to blind-cc private email addresses). In 2019 there were just 31 cyber-attacks on local authorities, leaping to 170 in 2023 and 122 last year.

When criminals target businesses, their aims are primarily financial – is that also the case with attacks on local authorities, or is there something more insidious going on? Kate Lloyd is a Regional Cyber Security Advisor at Tarian Regional Organised Crime Unit (ROCU) for southern Wales, which provides advice to organisations on how to remain cyber-secure. “The majority of the attacks are random,” she says. “[Scammers] will just put out as much as they can to look for vulnerabilities in organisations. They look for the easiest route in, which is why it is important for all of us to keep our cyber-security up to date.

It is important to have a multi-layered approach – whilst people are the first line of defence, it is good for organisations to have tech like spam filters in place too 

“In terms of targeted attacks, if we’re talking about local government, education or the health sector, they obviously hold a lot of personal and sensitive data which could be really valuable to cyber-criminals. A ransomware attack for example could result in reputational damage, and losing people’s information creates safeguarding risks. It could also lead to really catastrophic fines by the ICO.

“We’ve also seen state-affiliated groups which are attacking the UK,” Lloyd adds.

Under the Data Protection Act 2018, the ICO has powers to impose fines on organisations – including businesses and local authorities – which fail to protect customers’ and citizens’ data. It also requires data breaches to be reported. According to the ICO’s website, ‘In cases where a clear and serious breach of the legislation has taken place, we will take direct action […]. In the most serious cases, we can serve a monetary penalty of up to £17.5m, or 4% of your total worldwide annual turnover, whichever is higher.’

Letting your guard down
We all know how easy it can be to become distracted or even complacent about cyber-security. Scammers also know this, which is why they try to create and exploit situations where potential victims are under pressure, the so-called ‘hot states’ in which we are at our most vulnerable. “People are always busy, and that is why we try to encourage a no-blame culture so that people feel comfortable to come forward if they are concerned about something, rather than ignoring it,” Lloyd says.

“It is important to have a multi-layered approach – whilst people are the first line of defence, it is good for organisations to have tech like spam filters in place too.”

The ‘lucky dip’ approach used by many scammers can be devastating when it pays off. But since a lot of Trading Standards departments are involved in sensitive work, including investigations of serious organised crime, there is also the potential for them to fall foul of more targeted attacks. “A lot of people mention on social media platforms like LinkedIn what roles they are in – if criminals are looking to target someone working within a specific organisation, they may use that to zone in in a more targeted way,” Lloyd says.

“One of our main bits of advice is to go on haveibeenpwned.com, where people can check whether their details have been released in a data breach. Quite often when criminals seize personal data, they will sell it on the dark web. This site is fantastic because it tells you how many times your username or password may have appeared in one of these breaches.

“Sometimes data may have been compromised because someone’s used the same password on their personal accounts as for their work account,” she adds.

Back it up
Once cyber-security has been compromised – in a ransomware attack, for example – it can be all but impossible for files to be recovered. Last year one Trading Standards service in Scotland experienced a cyber-attack which severely impacted their ability to access live case files and records. That damage can be mitigated, to some extent, by keeping backups, Lloyd says. “Backups should be part of everyday business. Often we speak to people who say, ‘Yeah, I’ve got a backup in place,’ but when you ask when it was last updated, they don’t know.

“We recommend having an external backup that isn’t accessible to all staff, and is not permanently connected. Ransomware is the main concern; when files are completely encrypted and you can’t access anything, if there aren’t any recent backups in place, you’re going to have to start from scratch.

“It is also important to make sure third-party suppliers are cyber-secure because if one them isn’t, you can be breached that way – which is infuriating when you’ve done everything you can,” Lloyd adds.

Out of office
Since the covid pandemic, the barriers between our home and working lives have become increasingly porous. That creates an extra level of risk, according to Kathryn Fox, Senior Regional Communications Officer at Tarian ROCU. “You see an increasing number of people who might go to a coffee shop to work, or they may be working on a train,” she says. “Even if you don’t feel that what you’re doing is especially sensitive, you don’t know who’s looking over your shoulder. Don’t leave devices unattended and be mindful of what’s going on in your surroundings. If you have to work in a public place make sure you’re not sat in front of a window where people walking past can see your screen, and if you’re using public wi-fi, make sure you’ve got a VPN.”

If you do think your computer may have been compromised, Lloyd says, “the best thing you can do is disconnect it from the internet. And then get in touch with your IT department – it’s a really good idea to have their contact number written down somewhere that isn’t on your laptop.”

The past few years have seen the advent of deepfake scams and AI-generated voice recordings or videos. New technology creates a whole new dimension of risk – but also provides tools to fight back, says Lloyd. “We have seen examples where a deepfake of a colleague has appeared on screen in online meetings. Cyber-criminals are also using AI to up their technical skills; they can use it to create malicious code or things like survey templates that look really realistic.

“On the flip side,” Lloyd concludes, “AI has also introduced services which can prevent these things or spot malicious code – so it’s almost ‘AI versus AI’. We will be working to raise awareness of that in the future.”

Cyber-security: best practice for councils

  • Regular training sessions can enhance staff awareness and create a culture of cyber-security within the organisation.
  • Regularly update and patch all software, systems and devices to address vulnerabilities.
  • Develop and regularly test an incident response plan with clear communication protocols.
  • Foster collaboration among councils. Sharing threat intelligence can enhance the collective defence.
  • Regularly back up data and ensure recovery processes are in place to enable a quicker restoration of services.
  • Consider seeking guidance from experts who can conduct assessments and recommend tailored strategies.
  • Stay informed and compliant with data protection regulations to help build a resilient cyber-security framework.

Further information
The National Cyber Security Centre (NCSC) has a range of resources on its website to help local authorities improve their cyber-security, with guidance on things like password management and cloud storage.

The Information Commissioner’s Office (ICO) also has useful resources.

haveibeenpwned.com is a free tool that checks whether your email address has been included in a data breach.

PLEASE NOTE: This content originally appeared on our standalone Journal of Trading Standards website (www.journaloftradingstandards.co.uk), which we are gradually migrating over to the Journal's new home on the CTSI website. Please bear with us while we complete this process. This will not affect the production of our Print Edition.

Share this Article:  X|LinkedIn|Facebook

Content Tags:  Analysis|Uncategorised|National

Previous post

Next post

Return to JoTS Online Articles

© 2026 Chartered Trading Standards Institute. All rights reserved.

1 Sylvan Court Sylvan Way, Southfields Business Park, Basildon, Essex, SS15 6TH.
Company no. RC000879

Investors in People and Customer excellence award logos

Website by: