We have issued the London Borough of Hackey with a reprimand following a cyber-attack in 2020 that led to hackers gaining access to and encrypting 440,000 files, affecting at least 280,000 residents and other individuals including staff.
In October 2020, hackers attacked the London Borough of Hackney (LBoH) systems – accessing, encrypting, and in some instances exfiltrating records containing personal data. The encrypted data included data on residents that revealed their racial or ethnic origin, religious beliefs, sexual orientation, health data, economic data, criminal offence data, and other data including basic personal identifiers such as names and addresses.
Some of the data which was encrypted was also exfiltrated by the attackers. Of those affected records, we understand that 9,605 records were exfiltrated, with the attack being acknowledged by LBoH to have “posed a meaningful risk of harm” to 230 data subjects.
The hackers encrypted the data and then deleted 10% of the council’s backup before the council managed to intervene. The cyber-attack also resulted in LBoH systems being disrupted for many months with, in some instances, services not being back to normal service until 2022. One such instance of this disruption related to LBoH’s ability to deal with Freedom of Information requests and subject access requests. We received 39 complaints from individuals who had made subject access requests to LBoH between August and October 2020 but had not received an appropriate response.
In the subsequent investigation into the data breaches, we found examples of a lack of proper security and processes to protect personal data. LBOH failed to ensure that a security patch management system was actively applied to all devices, and failed to change an insecure password on a dormant account still connected to Hackney council servers which was exploited by the attackers.
Stephen Bonner, Deputy Commissioner at the ICO:
This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents. At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers. Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened.
Whilst nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyber-attacks. Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same. Time and time again, we see breaches that would not have happened if such mistakes were avoided.
If we want people to have trust in local authorities, they need to trust that local authorities will look after their data properly. Hackney residents have learnt the hard way the consequences for these errors – councils across the country should act now to ensure that those they are responsible for do not suffer the same fate.
The council took swift and comprehensive action to mitigate the harm of the attack as soon as it learned it had taken place, including through their engagement with NCSC, and has taken a number of positive steps since.
There is a vital learning from this for both Hackney and for councils across the country – systems must be updated; you have to take preventative measures to reduce the risk and potential impact of human error and you must ensure that data that is entrusted to you is protected.
LBoH took a number of remedial steps following the attack, including ensuring all residents were informed of the attack, with in-person notifications for those deemed at significant risk, promptly engaging with relevant authorities such as the NCSC, the NCA and the Metropolitan Police, and improving processes. The council now has in place a new ‘zero trust’ model designed to provide resilience against future ransomware attacks.
We acknowledge that, prior to the attack, the council sought to replace its patch management system with a new state-of-the-art system to reduce vulnerabilities. We also commend the council’s good governance structures, policies, improvement plans and training and development of staff, as well as acknowledging the impact that the Covid-19 pandemic has had on the resources of organisations like local authorities.
We had originally considered imposing a fine. However, due to the positive actions taken by LBoH including recognising potential harms and taking immediate steps to mitigate these harms, the public sector approach has been applied and a reprimand has been issued instead for the established infringements of UK GDPR.
Advice to councils on cyber-security
Our data shows that a growing number of cyber breaches are being reported by the local government sector, with over 150 cyber incidents reported in the last year.
Poor information security leaves systems at risk and may cause real harm. We want councils across the country to learn from this reprimand and avoid being susceptible to a cyber-attack We have taken enforcement action against organisations who have failed to:
- secure external connections without multi-factor authentication
- log and monitor systems, and act when there is unexpected activity
- act on alerts from endpoint protection, such as anti-malware or anti-virus. This includes when there has been successful removal of malware
- use strong passwords on internal accounts or use unique passwords across multiple accounts, or both. This is especially the case for privileged, administrator or service accounts
- mitigate against known vulnerabilities, applying critical patches within fourteen days where possible
For more advice, visit our security guidance for organisations.