The Information Commissioner’s Office (ICO) has issued the London Borough of Hackney with a reprimand for the breach of large volumes of data in a cyber attack in 2020.
It said it had originally considered imposing a fine, but due to the council taking immediate steps to mitigate the harms it has applied its public sector approach and a reprimand.
The attack led to hackers gaining access to and encrypting 440,000 files, affecting at least 280,000 residents and other individuals including staff.
They were able to exfiltrate records containing personal data and to encrypt data on residents that revealed their racial or ethnic origin, religious beliefs, sexual orientation, health and economic data and record of any criminal offences, along with personal identifiers such as names and addresses.
Some of the data which was encrypted was also exfiltrated by the attackers. Of those affected records, the ICO understands that 9,605 records were exfiltrated, with the attack being acknowledged by Hackney to have “posed a meaningful risk of harm” to 230 data subjects.
The hackers encrypted the data and then deleted 10% of the council’s back-up before it managed to intervene.
Patch management failing
In the subsequent investigation into the data breaches, the ICO found examples of a lack of proper security and processes to protect personal data. It said that Hackney failed to ensure that a security patch management system was actively applied to all devices, and failed to change an insecure password on a dormant account still connected to council servers which was exploited by the attackers.
The attack also resulted in Hackney’s systems being disrupted for many months with, in some instances, services not being back to normal service until 2022. One such instance of this disruption related to its ability to deal with freedom of information and subject access requests.
The ICO received 39 complaints from individuals who had made subject access requests to Hackney between August and October 2020 but had not received an appropriate response.
Detrimental impact
Stephen Bonner, deputy commissioner at the ICO, said: “This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents. At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers.
“Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened.
“Whilst nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyber attacks. Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same. Time and time again, we see breaches that would not have happened if such mistakes were avoided.
"If we want people to have trust in local authorities, they need to trust that local authorities will look after their data properly. Hackney residents have learnt the hard way the consequences for these errors – councils across the country should act now to ensure that those they are responsible for do not suffer the same fate.
“The council took swift and comprehensive action to mitigate the harm of the attack as soon as it learned it had taken place, including through their engagement with NCSC, and has taken a number of positive steps since.
“There is a vital learning from this for both Hackney and for councils across the country – systems must be updated; you have to take preventative measures to reduce the risk and potential impact of human error and you must ensure that data that is entrusted to you is protected.”
Positive steps
The ICO has acknowledged that, prior to the attack, Hackney sought to replace its patch management system with a new state-of-the-art system to reduce vulnerabilities. It also commended the council's good governance structures, policies, improvement plans and training and development of staff, as well as acknowledging the impact that the Covid-19 pandemic has had on the resources of organisations like local authorities.
In addition, it reported that the council took a number of remedial steps following the attack, including ensuring all residents were informed, with in-person notifications for those deemed at significant risk, promptly engaging with relevant authorities such as the National Cyber Security Centre, the National Crime Agency and the Metropolitan Police, and improving processes.
It has now put in place a new zero trust model designed to provide resilience against future ransomware attacks.
Council response
Hackney Council has responded with a claim that it did not breach its security obligations and that the ICO has misunderstood the facts and exaggerated the risk to residents’ data.
A spokesperson said: “Modern IT systems are extremely complex and cyber threats continue to grow. Since 2020, organisations of all sizes in the public and private sector have fallen victim to criminals deploying ever more complex and sophisticated modes of cyberattack. To meet this rapidly changing threat, we have been investing and rebuilding our systems to further accelerate the delivery of our strategy of using the most modern and secure systems possible.
“We have worked closely with the National Cyber Security Centre, National Crime Agency and Metropolitan Police to identify, contact and help those who were significantly affected by the cyberattack, and the ICO has recognised our robust and transparent response.”
Mayor of Hackney Caroline Woodley added: “While we do not agree with all the ICO’s findings, the completion of the investigation means we can focus on our ongoing efforts to keep data secure and deliver the vital services that our residents rely on.
“We deeply regret the impact that this senseless criminal attack had on Hackney residents and businesses, and I am grateful to council staff who continued delivering for our communities despite the challenges, and to our residents for their patience while services were impacted.”
The council added that it does not think it appropriate to use resources in challenging the ICO’s decision.
Widespread threat
The ICO added that over 150 cyber incidents have been reported by local government organisation over the past year and that it wants other councils to learn from the reprimand to Hackney.
It has advocated the use of measures including multi-factor authentication for external connections, the use of strong passwords on internal accounts, applying patches against known vulnerabilities within 14 days and acting on alerts from endpoint protection.