The Information Commissioner’s Office (ICO) has strongly reprimanded the London Borough of Hackney over a series of failings that led to a devastating ransomware attack in October 2020.
The Pysa ransomware gang encrypted a total of approximately 440,000 files affecting 280,000 residents of Hackney in East London, after they exploited old, on-premise servers and systems to access the Council’s IT infrastructure.
The ICO’s investigation found examples of a clear lack of proper security policies at Hackney Council. Among other things, the regulator said it had failed to ensure proper patch management procedures were actively applied to all devices, and nor had it changed an insecure password on a dormant user account that was connected to the Council’s servers, which was exploited by the cyber criminals.
Among the services critically affected were Hackey’s housing services operations, with tenants left unable to make payments, log repairs, approve housing applications, or to apply for housing benefit or its council tax reduction scheme. Residents of the borough were also unable to make online council tax and business rate payments for a time.
The cyber criminals struck as the UK teetered on the brink of a major Covid-19 surge which was to plunge the country back into a series of lockdowns and effectively cancelled Christmas. This very likely heightened the ultimate impact on residents. Normal services were not fully restored until 2022.
“This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents. At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers. Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened,” said ICO deputy commissioner Stephen Bonner.
“Whilst nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyber-attacks. Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same. Time and time again, we see breaches that would not have happened if such mistakes were avoided.”
“This was a deplorable attack by sophisticated, organised cyber criminals, coming at a time when we were responding to the first wave of the Covid pandemic,” said Hackney mayor Caroline Woodley.
“We deeply regret the impact that this senseless criminal attack had on Hackney residents and businesses, and I am grateful to council staff who continued delivering for our communities despite the challenges, and to our residents for their patience while services were impacted.”
Special category data
During the course of its investigation, the ICO said it found the encrypted information to include information on protected category data under UK GDPR, including information on racial and ethnic background, religious beliefs, sexual orientation, health data, economic data, criminal offence data, and names and addresses.
The Pysa gang subsequently leaked some of the Council’s data, including personally identifiable information (PII) including passport data, scans of tenancy audit documents, staff data, and community safety information. The ICO said that a total of 9,605 records were exfiltrated and posed a meaningful risk of harm to 230 people.
“If we want people to have trust in local authorities, they need to trust that local authorities will look after their data properly. Hackney residents have learnt the hard way the consequences for these errors – councils across the country should act now to ensure that those they are responsible for do not suffer the same fate,” said Bonner.
Swift and comprehensive action
In its judgment, the ICO said that Hackney Council had got some things right – it took “swift and comprehensive action” to mitigate the attack as soon as it became clear what was happening, said Bonner, and engaged positively with bodies such as the National Cyber Security Centre (NCSC), the National Crime Agency (NCA), and London’s Metropolitan Police force.
The ICO also praised Hackney Council for effectively engaging with residents and keeping those deemed at significant risk informed throughout.
It also acknowledged that the Council had been to some extent aware of the core vulnerabilities that led to the ransomware attack, and had been on a path to improving its patch management policies with a new system. The ICO further praised the Council’s overall governance structures, policies, improvement plans, training and development of staff in the wake of the attack, and the introduction of a new zero-trust security policy.
In issuing its reprimand, as opposed to a fine, the ICO also noted the impact Covid-19 had had on resources at local authorities at the time of the attack.
“There is a vital learning from this for both Hackney and for councils across the country,” said Bonner. “systems must be updated; you have to take preventative measures to reduce the risk and potential impact of human error and you must ensure that data that is entrusted to you is protected.”
Hackney Council disputes findings
However, in the wake of the ICO’s judgment, both Woodley and Hackney Council hit back, saying they disputed a number of the regulator’s findings. They said they maintained that the Council had not breached its security obligations and accused the ICO of misunderstanding the facts and misapplying the law, as well as mischaracterising and exaggerating the risk to residents’ data.
A Council spokesperson said: “However, we do not believe it is in our residents’ interests to use our limited resources to challenge the ICO’s decision. Instead, we will continue to work closely with the National Cyber Security Centre, central Government and colleagues across local government and the wider public sector to play our part in defending public services against the ever increasing threats of cyber attack and to help ensure the safety and wellbeing of our residents.
“Modern IT systems are extremely complex and cyber threats continue to grow. Since 2020, organisations of all sizes in the public and private sector have fallen victim to criminals deploying ever more complex and sophisticated modes of cyberattack. To meet this rapidly changing threat, we have been investing and rebuilding our systems to further accelerate the delivery of our strategy of using the most modern and secure systems possible.”