As always, actions speak louder than words
"We(I) apologize" is not enough. Without action to remediate the resultant problems and to forestall repeats an apology is just empty words.
In this case, the following actions seem appropriate:
1. If the malefactor acted contrary to well-publicized, established policies, fire her(him).
2. If such policies exist but were not communicated to staff, fire whoever is responsible for the failure to do so.
3. If no such policies exist, fire those having ultimate authority over IT policies.
4. Under all circumstances, give the council head at least six months suspension without pay. His is the desk the buck stops on, so let it actually stop there.
5. If it is demonstrated that an unqualified person was hired to oversee IT security, decimation of HR would seem to be in order as well.
Maybe I've got the details wrong, but the general principle of insisting that overpaid managerstake responsibility when things go south would seem to be the Correct Approach.
But I suspect that this incident is due to a less obvious, far more pervasive problem: there are too many IT shops for the number of _qualified_ people to oversee. Hence, a lot of IT operations are overseen by unqualified incompetents. What's the answer to this? I'm really not sure, but hiring only those with MCSE certification is definitely not the way to go.
Maybe it's time for the minister in charge of local government to summon all council heads to London and give them a good dressing down, telling them that they _are_ responsible and that if anything goes wrong in the future, they _will_ lose their position and benefits and they _will_ be blacklisted from any further employment in governmental management, including quangos of all types. Draconian, perhaps, but it's time the overpaid drones in charge be held accountable for what they are in charge of.
Knowing Labour, however, I have no expectation of such a hard-nosed approach being taken.