Many UK councils still running unsupported Windows XP


Windows XPYou can only tell people that XP isn’t a great choice for a secure operating system so many times… and then you feel like you’re hitting your head against a brick wall.

CRN journalist Hannah Breeze had the bright idea in June of submitting freedom of information (FOI) requests to all 435 local councils in the UK, asking what operating systems they were using on their PC computers.

105 of the councils responded with details of the OSes in use, and it makes worrying reading considering that the UK government’s last-minute deal with Microsoft for a year’s extended support for Windows XP expired in April.

As CRN reports:

Some 31 per cent of councils which responded said they are running Windows XP in some form and of all the PCs declared by the authorities, seven per cent are running the ancient OS.”


It’s pretty pathetic, isn’t it?

What galls me is that we can choose which businesses we do business with (note to self: don’t create an account on Ashley Madison), but we have no choice about sharing our personal information with public bodies such as our local councils.

As a result, you have to cross your fingers and hope desperately that they will do a competent job at keeping our data secure.

But, in my opinion, continuing to use Windows XP when Microsoft itself has begged people to stop, and no longer provides any support or security updates, is asking for trouble. They’ve even stopped updating their free anti-virus product for the platform.

Windows XP gravestone

And it’s not as though the demise of Windows XP in April 2014 came as any kind of surprise - the IT world had known for years that the operating system’s days were numbered, and that the best course of action was to switch to a more modern version of Windows or change operating system altogether.

Now, I’m not blaming IT departments here. I am confident they are aware of the issue, and those who have been told by management that there is no budget for switching to a new operating system have done their best to harden systems from attacks.

But clearly if your management team isn’t treating security upgrades for the software on your networked PCs as a priority, there is a serious problem.

And it’s not just Windows XP, of course.

Earlier this year, security firm Avecto submitted its own freedom of information requests to UK councils, revealing that only 6% were using the latest version of Java.

I wonder how many of those councils have since patched themselves against the latest Java zero-day being exploited in the wild? Actually, I probably don’t need to wonder… the answer is probably all too predictable.

And I’m sure this isn’t just a British problem… Around the world there will be many computers running outdated software, that is putting everybody on the internet at greater risk.

Tags: , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, ,

12 Responses

  1. Anonymous

    July 22, 2015 at 7:04 pm #

    If some tech savvy miscreant altered the status of some MPs council tax from “paid” to “not paid”, I bet this problem would get fixed very quickly.

  2. Matt

    July 22, 2015 at 7:15 pm #

    XP Is an unsupported system by Microsoft, and ofcourse Microsoft would like you to upgrade.

    The company probably get a little bonus for each number that upgrade.

    Microsoft are no longer interested in helping those users migrate and it’s going to stay that way, they made it clear that they’ll help big business who pay. nor are they interested in helping those feel more confident by patching their system.

    With or without patches you can’t blanket everything there’s no such thing as a super secure system.

    Patches sure can be a good idea but they aren’t 100% effective, and don’t always work.
    And when they don’t work they can cause a bigger problem.

    Councils are under strict measures so If they were in trouble I think they would have upgraded by now.

    • Coyote in reply to Matt.

      July 22, 2015 at 7:50 pm #

      Your response is full of folly.

      1. If you didn’t want to spend money on upgrades, then don’t buy the software in the first place. Otherwise you’re only whining.
      2. No longer helping those users migrate? No longer helping? Do you live years in the past? They were telling users for a long, long time. Then they gave multiple warnings (time in between): those who still hadn’t upgraded don’t actually care; it isn’t that they don’t have help! Your statement is utterly absurd and is blaming Microsoft for (your) poor decision in choosing an operating system that costs money! All software eventually ends in life (even FOSS - free and open source software). It’s just most people adapt to this reality; most evolve just like technology.
      3. Patches: it isn’t that they ‘can be a good idea’: they are a necessity! As for not 100% effective, that is also wrong. They are 100% effective against that which they patch (you do understand what a patch is, in computing, right? It can be a single line of source code that was changed; a single instruction that fixes a flaw in logic, error or even a typo that caused a problem! Once patched it is fixed and so it is 100% effective as long as there wasn’t a bug in the patch; it can happen but then that is fixed when noticed).
      4. It isn’t about requirements; it is, if anything, about budget (and lack of responsibility). They already are in trouble (they just don’t know it). It is a fallacy to say ‘well, since they haven’t upgraded, they must be okay’. It doesn’t work that way. Just because something hasn’t happened doesn’t mean it won’t; just because they’ve not noticed anything doesn’t mean it hasn’t actually happened! You’re lying to yourself when you say what you say; you’re refusing to admit something specific (will let you figure it out).

    • Spennick in reply to Matt.

      July 23, 2015 at 6:53 pm #

      Wow, Matt…awesome post, dude! The next time I need an example of the silliest reasons for not patching a system I’ve ever heard, I’ll know where to find them.

      Great job!

  3. Coyote

    July 22, 2015 at 7:34 pm #

    and then you feel like you’re hitting your head against a brick wall.”

    Better yet, push their heads against a brick wall.

    It’s pretty pathetic, isn’t it?”

    Large understatement.

    • Anonymous in reply to Coyote.

      July 22, 2015 at 7:49 pm #

      Unlike XP though, there’s a good chance, that eventually, the brick wall will get patched.

      • Coyote in reply to Anonymous.

        July 23, 2015 at 12:17 am #

        Yes, I suppose that is indeed possible. Perhaps it could be patched with sharp objects, so you can put them out of their misery - they won’t have to listen to you tell them how foolish it is to keep XP. But I suppose even that probably wouldn’t solve the problem…

  4. Council IT worker

    July 23, 2015 at 12:29 pm #

    As a worker in a council who managed to move everyone to windows 7 some 3 years ago, there is no valid excuse for the work not having been carried out. The one interesting thing to note is that pretty much all of the councils lagging behind are ones that have chosen to outsource their IT.

  5. Anonymous

    July 23, 2015 at 1:51 pm #

    At what point, I wonder, do these councils fall foul of Principle 7 of the Data Protection Act? According to the ICO site, “you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised”

    Does using unsupported and unpatchable software to process and store personal data count as “appropriate security” in any circumstances?

  6. Prison Worker

    July 23, 2015 at 7:40 pm #

    You might be interested… The whole of the public prison estate still uses Windows XP. I’m guessing they have pretty impressive security of their own. I’m also guessing it’s down to money. With thousands of desktop PC in use in HM Prison Service, the cost of upgrading them all would be enormous.

  7. rar

    July 24, 2015 at 9:12 am #

    Does anybody have/requested for similar data from USA?
    It would be interesting to know the outcome.
    I’m guessing it will be much worse than UK data if at all they reveal it.

  8. Kevin

    September 4, 2015 at 3:24 pm #

    Hi Graham,

    I have just received a FOI response from my local council and they are still running Windows XP, and will still have this until the upgrade is completed in 2016.

    Pretty worrying..

    I’ve just emailed the local newspaper in the hope that we can embarrass the council into acting quicker than they would otherwise do. I do not want my personal info appearing on some torrent site, somewhere!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.