| Recurring |
unknown |
(a) The software failure incident has happened again at one_organization:
The article does not mention any previous incidents of a similar nature happening within the same organization (East Devon District Council) [108588].
(b) The software failure incident has happened again at multiple_organization:
The article does not provide information about similar incidents happening at other organizations [108588]. |
| Phase (Design/Operation) |
design |
(a) The software failure incident in Article 108588 was related to the design phase. The incident occurred when the council IT provider Strata added Airwatch and Outlook 365 passwords to individual councillors' profiles, leading to a significant data breach where passwords of more than half of the East Devon District Council members were made available online to other councillors. This design decision introduced a vulnerability that allowed access to confidential information such as probation reports, medical information, and electoral register data [108588].
(b) The software failure incident in Article 108588 was not specifically related to the operation phase or misuse of the system. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident at East Devon District Council was primarily within the system. The breach occurred due to passwords being made available online to other councillors, indicating an internal issue with how passwords were managed within the council's IT system. The breach led to potential access to confidential information stored in councillors' emails, highlighting a failure originating from within the system itself [108588].
(b) outside_system: There is no specific information in the article suggesting that the software failure incident was due to contributing factors originating from outside the system. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in Article 108588 occurred due to non-human actions. The data breach at East Devon District Council was a result of passwords being made available online to other councillors due to a breach in the system. The breach was attributed to the council IT provider Strata adding Airwatch and Outlook 365 passwords to individual councillors' profiles, which led to the exposure of confidential information stored in the affected councillors' emails. The breach was identified as a non-human action that introduced contributing factors leading to the software failure incident [108588].
(b) The software failure incident in Article 108588 also involved human actions. Following the breach, councillors had to reset their passwords to rectify the situation. Additionally, the council's cabinet discussed steps to introduce appropriate safeguards to prevent such incidents in the future. Human actions, such as the need for password resets and the implementation of new safeguards, were taken in response to the software failure incident caused by non-human actions [108588]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident in Article 108588 was not attributed to hardware issues. Instead, it was related to a data breach where passwords of East Devon District Council members were made available online to other councillors. The breach occurred due to the council IT provider Strata adding Airwatch and Outlook 365 passwords to individual councillors' profiles, allowing unauthorized access to sensitive information stored in their emails [108588]. This incident was primarily a software failure as it originated from the mishandling of passwords and access controls within the software systems. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident in Article 108588 was malicious in nature. The incident involved a significant data breach where passwords of more than half of the East Devon District Council members were made available online to other councillors. This breach allowed access to potentially sensitive and confidential information such as probation reports, medical information, and electoral register data. The breach was not accidental but involved passwords being added to individual councillors' profiles, indicating a deliberate act to compromise the security of the system [108588]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions, accidental_decisions |
(a) The software failure incident in Article 108588 was primarily due to poor decisions. The incident involved a significant data breach at East Devon District Council where passwords of more than half of the council members were made available online to other councillors. The breach occurred when the council's IT provider, Strata, added Airwatch and Outlook 365 passwords to individual councillors' profiles, leading to potential access to confidential information such as probation reports, medical information, and electoral register data by unauthorized individuals. The breach prompted the Information Commissioners Office (ICO) to launch an investigation, and swift action was taken to reset passwords and address the issue. Additionally, during a council meeting, concerns were raised about the need for appropriate safeguards to prevent such incidents in the future, indicating that poor decisions contributed to the software failure incident [108588].
(b) The software failure incident in Article 108588 also involved accidental decisions or mistakes. Councillor Paul Millar discovered the initial breach, highlighting that the incident was not intentional but rather a result of inadvertent actions. The cabinet portfolio holder for corporate services, Jess Bailey, acknowledged the seriousness of the matter and mentioned being "sufficiently reassured" that the risk of unauthorized access was low. However, she could not provide a categorical assurance that emails and residents' data were not accessed by unauthorized individuals, indicating that accidental decisions or mistakes played a role in the incident [108588]. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident in Article 108588 can be attributed to development incompetence. The incident involved a significant data breach at East Devon District Council where passwords of more than half of the council members were made available online to other councillors. This breach occurred when the council's IT provider, Strata, added Airwatch and Outlook 365 passwords to individual councillors' profiles, leading to unauthorized access to potentially sensitive information such as probation reports, medical information, and electoral register data. The breach necessitated swift action to reset passwords and notify the Information Commissioner's Office (ICO) for investigation. Additionally, during a council meeting, concerns were raised about the need for appropriate safeguards to prevent such incidents in the future, indicating a lapse in professional competence in handling sensitive data [108588].
(b) The software failure incident in Article 108588 does not seem to be accidental. The breach was a result of specific actions taken by the IT provider to add passwords to individual profiles, which inadvertently exposed sensitive data to unauthorized access. The incident was not described as a random or unintentional event but rather as a consequence of the actions taken by the council's IT provider, indicating a lack of proper controls or oversight in the implementation of password management procedures [108588]. |
| Duration |
temporary |
(a) The software failure incident in this case was temporary. It was a data breach where passwords of 37 out of 60 East Devon District Council members were made available online to other councillors. The breach occurred at the start of November, and swift action was taken to rectify the situation by resetting passwords. The IT provider Strata quickly acted to reset passwords and notify the Information Commissioner's Office (ICO) of the breach. The incident was addressed promptly, indicating that it was a temporary failure [108588].
(b) The software failure incident was not permanent as the breach was identified and addressed promptly, with passwords being reset and the ICO being notified for investigation. The incident did not result in a long-term or irreversible impact on the council's systems or data security [108588]. |
| Behaviour |
omission, other |
(a) crash: The software failure incident in Article 108588 did not involve a crash where the system lost state and did not perform any of its intended functions.
(b) omission: The incident involved an omission where the system omitted to perform its intended functions at an instance(s) by making passwords available online to other councillors, potentially allowing access to confidential information [108588].
(c) timing: The incident did not involve a timing failure where the system performed its intended functions correctly, but too late or too early.
(d) value: The incident did not involve a value failure where the system performed its intended functions incorrectly.
(e) byzantine: The incident did not involve a byzantine failure where the system behaved erroneously with inconsistent responses and interactions.
(f) other: The behavior of the software failure incident in Article 108588 was related to a data breach that exposed confidential information due to the omission of proper security measures, leading to passwords being available online and potentially allowing unauthorized access to sensitive data [108588]. |