Over a quarter of all UK councils have had their IT systems breached in the past five years, according to privacy campaign group Big Brother Watch.
Freedom of information requests sent by the group found that 114 councils experienced at least one incident between 2013 and 2017, as well as more than 98 million cyber attacks on local councils in total across the country.
This amounts to 37 cyber attacks launched every minute on the local governments, with successful attempts potentially giving hackers access to the sensitive and personal information of UK citizens, said Big Brother Watch in its 'Cyber attacks in local authorities' report.
Worst yet, the report uncovers the councils' failure to report losses and breaches of data - which organisations must do within 72 hours under GDPR, though currently do not have to under UK law - as well as shortcomings in staff training.
It found that despite human error being the main factor in a successful hack, 75% of local authorities said their staff don't undergo compulsory cyber security training.
Jennifer Krueckeberg, lead researcher at Big Brother Watch, said: "With councils hit by over 19 million cyber attacks every year, one would assume that they would be doing their utmost to protect citizens' sensitive information.
"We are shocked to discover that the majority of councils' data breaches go unreported and that staff often lack basic training in cyber security. Local authorities need to take urgent action and make sure they fulfil their responsibilities to protect citizens."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Newcastle City Council blamed human error for a breach that saw thousands of adopted children's data leaked in an email attachment last summer, while the Information Commissioner's Office (ICO) fined Gloucester City Council 100,000 for falling foul of the Heartbleed hack in 2014.
Raj Samani, chief scientist and fellow at McAfee, criticised the councils for failing to inform citizens of breaches.
"Unless made aware, potential victims the citizens that they're serving are unable to protect themselves, whether by changing passwords or more closely monitoring for instances of fraud," he said.
"That said, we will gain nothing by pointing the finger at the IT and security teams. Managing the growing and evolving against a background backdrop of squeezed budgets, local authorities are having to make difficult choices about where their investments should be made."
Samani added that one solution to this is through automating certain processes, such as removing simple repetitive activities that enable them to put their energy into planning their defences against the wider threat landscape.
The failure of local authorities to protect against malicious online activity against them comes just after the UK's Department of Health admitted that all 200 NHS trusts assessed for cyber security vulnerabilities failed to meet the required standards, following the devastating WannaCry ransomware attack last summer.
The malware affected 300,000 computers in 150 countries in May last year, including 48 NHS trusts, also shutting down multiple hospital IT systems as well as companies and universities elsewhere.