Data watchdog reprimands Hackney council over cyber attack

The UK’s data protection regulator has issued a reprimand to the London Borough of Hackney over its handling of a cyber attack.

The Information Commissioner’s Office (ICO) said the council had “failed to effectively implement sufficient measures” to protect its systems from attack.

The borough was targeted by hackers in October 2020 in an attack which saw cyber criminals gain access to and encrypt 440,000 files, affecting at least 280,000 residents and other individuals. It included personal information related to religious beliefs, health, criminal records, economic data and details of sexual orientation, among other personal identifiers.

According to the ICO, more than 9,600 records were exfiltrated from the council’s systems, which posed a “meaningful risk of harm” to 230 people.

The ICO said the cyber attack also substantially disrupted the council’s operations, with some services not returning to normal until 2022.

In its investigation into the breach, the data protection regulator found security patches had not been properly applied to all devices, and the council had failed to change an insecure password on a dormant account that was still connected to its servers, which was exploited by the hackers.

Stephen Bonner, deputy commissioner of the ICO, said: “This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents.

“At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers.

“Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened.

“Whilst nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyber attacks.

“Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same. Time and time again, we see breaches that would not have happened if such mistakes were avoided.

“If we want people to have trust in local authorities, they need to trust that local authorities will look after their data properly.

“Hackney residents have learnt the hard way the consequences for these errors – councils across the country should act now to ensure that those they are responsible for do not suffer the same fate.”

Following the attack, the ICO said the borough took a number of remedial steps, including ensuring all residents were aware of the incident and promptly engaging with the relevant authorities.

The regulator also acknowledged the council had sought to update its security patch management system prior to the attack, the impact of the Covid-19 pandemic on the council’s staff and resources, and it commended the borough for its good governance structures.

It said because of this and the positive actions taken by Hackney council to mitigate harm, a reprimand has been issued rather than a fine.

“The council took swift and comprehensive action to mitigate the harm of the attack as soon as it learned it had taken place, including through their engagement with NCSC (The National Cyber Security Centre), and has taken a number of positive steps since,” Mr Bonner said.

“There is a vital learning from this for both Hackney and for councils across the country – systems must be updated; you have to take preventative measures to reduce the risk and potential impact of human error, and you must ensure that data that is entrusted to you is protected.”

In response, a spokesperson for Hackney council said: “While we welcome the ICO completing its investigation, we maintain that the council has not breached its security obligations.

“We consider that the ICO has misunderstood the facts and misapplied the law with respect to the issues in question, and has mischaracterised and exaggerated the risk to residents’ data.

“However, we do not believe it is in our residents’ interests to use our limited resources to challenge the ICO’s decision.

“Instead, we will continue to work closely with the National Cyber Security Centre, central Government and colleagues across local government and the wider public sector to play our part in defending public services against the ever-increasing threats of cyber attack and to help ensure the safety and wellbeing of our residents.

“Modern IT systems are extremely complex and cyber threats continue to grow. Since 2020, organisations of all sizes in the public and private sector have fallen victim to criminals deploying ever more complex and sophisticated modes of cyber attack.

“To meet this rapidly changing threat, we have been investing and rebuilding our systems to further accelerate the delivery of our strategy of using the most modern and secure systems possible.

“We have worked closely with the National Cyber Security Centre, National Crime Agency and Metropolitan Police to identify, contact and help those who were significantly affected by the cyber attack, and the ICO has recognised our robust and transparent response.”