Westminster City Council Web Site Hacked

Confirmation of Freedom Of Information Request

Thank you for your request for information.

Your request details have now been recorded and will be passed on to the
appropriate Divisional Records Officer for action.

This Freedom Of Information Request was based on the following
information:

Name: P. John
Address: see email address
Email: [FOI #31178 email]
Telephone:
Request Details: Please could you disclose to me, what is the purpose of
the "www3.westminster.gov.uk" web site?

Please could you tell me when you first became aware that the web site had
been hacked? (*)

Please could you tell me what security measures you have in place to
prevent and detect such events?

Please could you tell me what plans you have to remove links to sites
promoting viagra, cialis and other drugs from Westminster Council web
sites?(**)

(*) For example, visit this page, and view the HTML page source;
http://www3.westminster.gov.uk/wish/WISH...

(**) Google search for Viagra on Westminster Council web sites;
http://www.google.co.uk/search?q=site%3A...

Google search for Cialis on Westminster Council web sites;
http://www.google.co.uk/search?q=site%3A...

FOI Reference Number: 5167
Target Completion Date: 21/04/2010

Please do not reply to this email.
This is an automatic response to your request, and replies to this message
will not be actioned.

If you need to contact Westminster City Council regarding your request,
please contact:

mailto:[Westminster City Council request email]
Tel:020 7641 3921

show quoted sections

Dear P John

Thank you for your recent request to the Council. You asked to be provided
with information relating to the domain "www3.westminster.gov.uk". For
ease of reference I shall respond to each of the questions raised in turn

Response

Please could you disclose to me, what is the purpose of the
"www3.westminster.gov.uk" web site?

www3 is a server which hosts a number of non-critical transactional
applications. For example applications which involve submitting simple
forms, and others which query back office databases in order to display
information. They do not display or interact with confidential personal
information.

Please could you tell me when you first became aware that the web site had
been hacked? (*)

Information Services first became aware of an issue with the site on
Sunday 21st March 2010.

Please could you tell me what security measures you have in place to
prevent and detect such events?

The Council's website content is subject to a host of good practice
controls including:
. hardware and network design and configuration to minimise both external
compromise and to isolate from internal systems. Incorporating tools to
detect known compromise attempts, block those attempts and to alert for
their investigation.

. code design, test and release processes to reduce compromise through
errors and omissions.
. regular third party testing against known vulnerabilities and weaknesses
for ongoing assurance of adequate protection.

All controls are subject to regular review and update to ensure they
remain properly configured and fit for purpose.
The technology Community continues to discover new vulnerabilities, and
the Council is confident the controls in place represent a good practice
position in terms of risk versus cost.

Unfortunately we are unable to provide you with details of the specific
security measures employed by the council. This information is exempt from
disclosure under Section 44(2) of the Freedom of Information Act, because
such disclosure would be incompatible with a community obligation. The
Data Protection Act 1998 (implementation of Data Directive from EU)
requires the council to ensure good security and integrity of its ICT
across all departments and systems. Disclosure of specific measures
employed by the council could allow individuals to attempt to circumvent
the security in place and thus this would not be taking the appropriate
measures to secure information in line with our obligations. Therefore
detailed specification has not been provided. This is an absolute
exemption and not subject to a Public Interest test. This paragraph acts
as refusal notice in accordance with Section 17 of the Act.

If you are dissatisfied with our response, please set out your grounds in
writing to the address below. You also have right to contact the
Information Commissioner pursuant to Section 50 of the Act. For your
convenience his contact details are provided here:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Please could you tell me what plans you have to remove links to sites
promoting viagra, cialis and other drugs from Westminster Council web
sites?(**)

The links to sites promoting these drugs were on a redundant non-live
version of site. Access to these links has been removed and there were no
links of this type on the live operational version of the site.

I hope that you find this information answers your questions. However,
should you have any further queries, please do not hesitate to contact me.

Yours sincerely

Catherine Preston
Knowledge and Information Management Team
Information Services
Westminster City Council
101 Orchardson Street
London
NW8 8EA
Tel: 020 7641 3332
Fax: 020 7641 2872
Email: [Westminster City Council request email]

show quoted sections