Cardiff’s children’s chief confirms data leak 2 months after cyber risk was ‘escalated’ – Source: go.theregister.com

Cardiff City Council’s director of children’s services says data was leaked or stolen from the organization, although she did not clarify how or what was pilfered.

Deborah Driffield confirmed a “data breach” while giving an update to the Welsh council’s Governance and Audit Committee, which assembled on Tuesday.

“We have had a data breach that we are currently managing, and drawing up new arrangements in relation to this world of people stealing data and sharing it on the dark web, and trying to understand how we can mitigate against that.

“That’s a fairly new area for us but we have shared the risks there and certainly are working with Welsh government, Data Cymru, and all the other local authorities on that.”

Driffield mentioned the incident while adding that cybersecurity was one of the five “elevated” corporate risks the council was facing when it came to children’s services. A council document [PDF] said cybersecurity risks were particularly a problem when the department had to work with “third parties.”

Aside from confirming the existence of the “breach,” the children’s chief didn’t offer much in the way of additional details.

However, a data exposure at a children’s services department could implicate a broad range of sensitive information. The department is primarily tasked with safeguarding children. Its main duties include ensuring young people stay in families, providing disability support, reducing offending rates, and ensuring fewer young people have to be cared for by social services over time.

Equally, the “breach” could concern only staff data, or benign administrative documents – the possibilities are myriad.

The Register contacted the council, requesting more information about when the “breach” was discovered, how much data was involved, whether any data was stolen, what kind of data was compromised, and whether the affected individuals have been notified.

We also asked the council and Data Cymru if the incident is related to the latter’s November ransomware attack. Data Cymru is a company that works only for and is elected by Welsh local governments to help inform data-driven public service delivery, and wider reports suggested it may have been the source of the breach.

Neither the council nor Data Cymru immediately responded to requests for input. Socura, the “delivery partner” for CymruSOC (Wales’ National Security Operations Centre), told us: “Socura does not comment on security incidents affecting other organisations.”

Driffield alluded to ongoing work at the council to improve its cybersecurity risk rating which is currently in the very highest tiers, although the target is to reduce it to the upper-medium tier by the end of the year.

• US defense contractor cops to sloppy security, settles after infosec lead blows whistle
• Healthcare outfit that served military personnel settles allegations it faked infosec compliance for $11M
• Trump ‘waved a white flag to Chinese hackers’ as Homeland Security axed cyber advisory boards
• Chinese ship casts shadow over Baltic subsea cable snipfest

Current and planned action to be carried out before the end of the year includes rolling out improved security products across the authority, completing general training for all staff, carrying out phishing exercises, putting all senior management through a cyber breach workshop, and procuring better security and governance tools, according to a council document [PDF]. A number of other initiatives remain ongoing.

Cardiff’s risk rating for cybersecurity was raised in January 2025, and another document [PDF] shared with the council’s Governance and Audit Committee noted that any failures in this area could present “a potential safeguarding risk to children.”

It also indicated the council was still working on an action plan to reduce this escalated risk, but aimed to have it implemented by the end of the year 2025/26. ®