The Oxford City Council informed it suffered a data breach where attackers accessed personally identifiable information from legacy systems. The incident which took place over the weekend of 7 and 8 June, witnessed how attackers accessed historic data stored over a decade held on legacy systems.

The leaked personal information are of individuals who worked on elections administered by the council between 2001 and 2022, including poll station workers and ballot counters. Most of these people, said the council, will be current or former council officers.

‘”No evidence to suggest that any of the accessed information has been shared with third parties,” said the council in a statement.

The automated systems were able to detect the breach and resulted in disruption to some of their services last week. But the have been working hard to minimize impact on residents.

The council’s email systems and wider digital services remain secure and safe to use, it said, and the council has reported the incident to the relevant government authorities and law enforcement agencies.

According to the Information Commissioner’s Office (ICO), cyber attacks on local authority systems rose by a quarter between 2022 and 2023, while personal data breaches rocketed by 58%.

Major cyber attacks on institutions based in UK

The Oxford attack is the latest of many to affect UK councils. In 2025 alone, Gateshead and West Lothian councils have reported material attacks on their systems, with ransomware groups claiming responsibility for both.

Nottingham City Council also suffered a freak service outage earlier this year, which turned off the lights at the authority’s office building, although that was caused by a datacenter electrical fault rather than intruders.

Legacy Systems Vulnerable to cyber attacks:

A study by Accenture found that 85% of IT leaders in government agencies believe not updating legacy systems threatens their future.

When legacy systems were developed, these applications may have been on top of then-current cybersecurity practices. But with the passage of even a short time, the threat landscape evolves while many legacy systems get left behind.

Legacy systems are the workhorses of many businesses and dependable as these aging software and hardware applications keep core operations running. Legacy dependencies can stall a strategic move to the cloud and digital transformation. 

These outdated software applications, databases, and codebases were once reliable. Presently the software’s struggle to keep pace with digital trends.

Few examples of Legacy system

• Old Enterprise Resource Planning (ERP) systems: These were often built with a monolithic architecture, making them inflexible and difficult to integrate with newer technologies.
• Outdated databases: Hierarchical and older relational database systems may lack the features and security needed for modern applications.
• Custom code: Businesses may still rely on proprietary software written in languages like COBOL, posing challenges for maintenance and updates.

Protect your Network & Digital environment with Intru360

If you are storing sensitive information like passwords, API keys, certificates, and other secrets, it’s critical to ensure they are kept secure.

Many developers often overlook this crucial step, either hardcoding secrets directly into their code or storing them in an insecure manner.

Sometimes lack of attention can have disastrous consequences as we have witnessed many high-profile breaches over the years.

• For seamless business continuity even in the face of cyber threats while maintaining productivity and profitability Intru360 have been introduced to proactive cybersecurity measures and protect your valuable information.
• Stay safe, stay informed and protect your digital environment as Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack.
• Intru360 simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
• Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst.
• Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.

 

(Sources: https://www.theregister.com/2025/06/20/oxford_city_council_breach/)

https://www.secopsolution.com/blog/common-vulnerabilities-in-legacy-systems-and-how-to-mitigate-them