Many UK councils still running unsupported Windows XP

Windows XPYou can only tell people that XP isn’t a great choice for a secure operating system so many times… and then you feel like you’re hitting your head against a brick wall.

CRN journalist Hannah Breeze had the bright idea in June of submitting freedom of information (FOI) requests to all 435 local councils in the UK, asking what operating systems they were using on their PC computers.

105 of the councils responded with details of the OSes in use, and it makes worrying reading considering that the UK government’s last-minute deal with Microsoft for a year’s extended support for Windows XP expired in April.

As CRN reports:

Sign up to our free newsletter.
Security news, advice, and tips.

“Some 31 per cent of councils which responded said they are running Windows XP in some form and of all the PCs declared by the authorities, seven per cent are running the ancient OS.”


It’s pretty pathetic, isn’t it?

What galls me is that we can choose which businesses we do business with (note to self: don’t create an account on Ashley Madison), but we have no choice about sharing our personal information with public bodies such as our local councils.

As a result, you have to cross your fingers and hope desperately that they will do a competent job at keeping our data secure.

But, in my opinion, continuing to use Windows XP when Microsoft itself has begged people to stop, and no longer provides any support or security updates, is asking for trouble. They’ve even stopped updating their free anti-virus product for the platform.

Windows XP gravestone

And it’s not as though the demise of Windows XP in April 2014 came as any kind of surprise – the IT world had known for years that the operating system’s days were numbered, and that the best course of action was to switch to a more modern version of Windows or change operating system altogether.

Now, I’m not blaming IT departments here. I am confident they are aware of the issue, and those who have been told by management that there is no budget for switching to a new operating system have done their best to harden systems from attacks.

But clearly if your management team isn’t treating security upgrades for the software on your networked PCs as a priority, there is a serious problem.

And it’s not just Windows XP, of course.

Earlier this year, security firm Avecto submitted its own freedom of information requests to UK councils, revealing that only 6% were using the latest version of Java.

I wonder how many of those councils have since patched themselves against the latest Java zero-day being exploited in the wild? Actually, I probably don’t need to wonder… the answer is probably all too predictable.

And I’m sure this isn’t just a British problem… Around the world there will be many computers running outdated software, that is putting everybody on the internet at greater risk.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

12 comments on “Many UK councils still running unsupported Windows XP”

  1. Anonymous

    If some tech savvy miscreant altered the status of some MPs council tax from “paid” to “not paid”, I bet this problem would get fixed very quickly.

  2. Matt

    XP Is an unsupported system by Microsoft, and ofcourse Microsoft would like you to upgrade.

    The company probably get a little bonus for each number that upgrade.

    Microsoft are no longer interested in helping those users migrate and it's going to stay that way, they made it clear that they'll help big business who pay. nor are they interested in helping those feel more confident by patching their system.

    With or without patches you can't blanket everything there's no such thing as a super secure system.

    Patches sure can be a good idea but they aren't 100% effective, and don't always work.
    And when they don't work they can cause a bigger problem.

    Councils are under strict measures so If they were in trouble I think they would have upgraded by now.

    1. Coyote · in reply to Matt

      Your response is full of folly.

      1. If you didn't want to spend money on upgrades, then don't buy the software in the first place. Otherwise you're only whining.
      2. No longer helping those users migrate? No longer helping? Do you live years in the past? They were telling users for a long, long time. Then they gave multiple warnings (time in between): those who still hadn't upgraded don't actually care; it isn't that they don't have help! Your statement is utterly absurd and is blaming Microsoft for (your) poor decision in choosing an operating system that costs money! All software eventually ends in life (even FOSS – free and open source software). It's just most people adapt to this reality; most evolve just like technology.
      3. Patches: it isn't that they 'can be a good idea': they are a necessity! As for not 100% effective, that is also wrong. They are 100% effective against that which they patch (you do understand what a patch is, in computing, right? It can be a single line of source code that was changed; a single instruction that fixes a flaw in logic, error or even a typo that caused a problem! Once patched it is fixed and so it is 100% effective as long as there wasn't a bug in the patch; it can happen but then that is fixed when noticed).
      4. It isn't about requirements; it is, if anything, about budget (and lack of responsibility). They already are in trouble (they just don't know it). It is a fallacy to say 'well, since they haven't upgraded, they must be okay'. It doesn't work that way. Just because something hasn't happened doesn't mean it won't; just because they've not noticed anything doesn't mean it hasn't actually happened! You're lying to yourself when you say what you say; you're refusing to admit something specific (will let you figure it out).

    2. Spennick · in reply to Matt

      Wow, Matt…awesome post, dude! The next time I need an example of the silliest reasons for not patching a system I've ever heard, I'll know where to find them.

      Great job!

  3. Coyote

    "and then you feel like you're hitting your head against a brick wall."

    Better yet, push their heads against a brick wall.

    "It's pretty pathetic, isn't it?"

    Large understatement.

    1. Anonymous · in reply to Coyote

      Unlike XP though, there's a good chance, that eventually, the brick wall will get patched.

      1. Coyote · in reply to Anonymous

        Yes, I suppose that is indeed possible. Perhaps it could be patched with sharp objects, so you can put them out of their misery – they won't have to listen to you tell them how foolish it is to keep XP. But I suppose even that probably wouldn't solve the problem…

  4. Council IT worker

    As a worker in a council who managed to move everyone to windows 7 some 3 years ago, there is no valid excuse for the work not having been carried out. The one interesting thing to note is that pretty much all of the councils lagging behind are ones that have chosen to outsource their IT.

  5. Anonymous

    At what point, I wonder, do these councils fall foul of Principle 7 of the Data Protection Act? According to the ICO site, "you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised"

    Does using unsupported and unpatchable software to process and store personal data count as "appropriate security" in any circumstances?

  6. Prison Worker

    You might be interested… The whole of the public prison estate still uses Windows XP. I'm guessing they have pretty impressive security of their own. I'm also guessing it's down to money. With thousands of desktop PC in use in HM Prison Service, the cost of upgrading them all would be enormous.

  7. rar

    Does anybody have/requested for similar data from USA?
    It would be interesting to know the outcome.
    I'm guessing it will be much worse than UK data if at all they reveal it.

  8. Kevin

    Hi Graham,

    I have just received a FOI response from my local council and they are still running Windows XP, and will still have this until the upgrade is completed in 2016.

    Pretty worrying..

    I've just emailed the local newspaper in the hope that we can embarrass the council into acting quicker than they would otherwise do. I do not want my personal info appearing on some torrent site, somewhere!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.