Moray Council criticised after ‘ridiculous’ posts revealed passwords
Moray Council repeatedly shared its own passwords on a public website, we can reveal, during nearly two years of “ridiculous” cyber security errors.
It has been revealed that login details for emergency benefits software were accessible through a Google search for more than a year, after staff posted them online.
In May 2023, one post revealed both the username and password used to access Scottish Welfare Fund applications.
Staff also shared a further three passwords online in the year from August 2024 - following a derivative pattern each time.
In total, seven now-removed posts on Moray Council’s Interchange website - between November 2022 and August 2024 - included information about passwords.
A lecturer who teaches cyber security, and asked not to be named, described the council’s repeated “bad practice” as “ridiculous”.
“It’s just a ‘no no’ on a very basic level,” he added.
“I just don’t understand.
“It suggests they have shared passwords, which on its own is a ‘no no’.
“And you shouldn’t even write passwords down.
“Then sharing it within an organisation is bad enough, but sharing it on a public website is something else.”
A Moray Council spokesperson said posting the passwords online had created a “minimal” risk to personal data.
The login details, she added, were for a “secure internal system” available only through the council’s own network.
Stating that it was “not possible” for anyone outside Moray Council to gain access, the spokesperson admitted: “We appreciate that no password should be publicly accessible.”
Moray Council also confirmed that the posts were removed during efforts to “check and secure our intranet as far as possible” following “a previously identified incident”.
In September 2024, it was reported that personal details of Moray Council customers had been posted on Interchange dozens of times over two years.
The Information Comissioner’s Office watchdog confirmed that the council received “words of advice” over the incident, but no fine was issued.
The spokesperson pledged that “all staff will be reminded” that parts of the Interchange website are public.
Employers are also set to receive extra training and password guidelines were being “reviewed and updated”, the spokesperson added.
While the benefits software was only available through the council’s own network, the lecturer said that the outcome could have been stark had somebody gained access.
“With vulnerable people, just their details getting out would be bad enough,” he said.
“But there could be bank accounts in there or payment details involved - and that is worrying.
“There is no evidence of a data breach happening because of this, but they opened themselves up to a data breach - a serious data breach.
“A breach of protected category data, the worst kind of breach.”
The lecturer argued that it was important for the public sector to make sure that their IT systems were secure from attack.
However, he added: “But nothing is more of a vulnerability than just handing over your credentials.”
The incident could be a sign of the council’s “chaotic” approach, the lecturer said, and suggested that staff had been given “insufficient training”.
Moray Council’s Interchange website was launched in 2016 as an intended replacement for its intranet system.
However, both websites appear to still be in use.
The council spokesperson said that, while some Interchange pages are kept secure, others are public so that “non-office or desk-based staff” can easily find information.
“The Interchange pages are designed to allow non-office or desk-based staff the opportunity to access the same employee documents, policies and updates as all other staff,” she added.
“While there is a secure section of our website, this needs to be balanced with the need to provide all staff with information in as accessible a way as possible for them.
“All staff will be reminded that some parts of Interchange can be accessed publicly and the importance of securely storing data.”
