ICO Slams Hackney Council For ‘Avoidable’ Cyber Attack

The Information Commissioners Office (ICO) has issued the London Borough of Hackey with a reprimand for failing to secure citizen data prior to a 2020 cyber attack. 

The attack, which hit the council in October 2020, saw hackers attack the London Borough of Hackney (LBoH) systems and access, encrypt, and in some instances exfiltrate over 440,000 files containing personal data data belonging to at least 280,000 residents and staff. 

This sensitive data included resident’s racial or ethnic origin, religious beliefs, orientation, health data, economic data, criminal offence data, and other data including basic personal identifiers such as names and addresses.

According to a statement from the ICO, 9,605 records of these records were exfiltrated, with the attack being acknowledged by LBoH to have “posed a meaningful risk of harm” to 230 data subjects impacted by the attack. 

The cyber-attack also resulted in LBoH systems being disrupted for many months with, in some instances, services not being back to normal service until 2022. 

In the investigation into the breach, the ICO said it found examples of a lack of proper security and processes to protect personal data. 

These included failing to ensure a security patch management system was actively applied to all devices and failing to change an insecure password on a dormant account still connected to Hackney council servers which was exploited by the attackers. 

“This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents,” said Stephen Bonner, Deputy Commissioner at the ICO. 

“At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers. Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened.”

‘Deplorable Attack’

The London Borough of Hackney took several remedial steps following the attack, such as ensuring all residents were informed of the attack with in-person notifications for those deemed at significant risk and promptly engaging with relevant authorities such as the NCSC, the NCA and the Metropolitan Police. 

Responding to the British data watchdog’s reprimand, it claimed the borough maintained that the Council had not breached its security obligations. 

“We consider that the ICO has misunderstood the facts and misapplied the law with respect to the issues in question, and has mischaracterised and exaggerated the risk to residents’ data,” the Borough said in a statement.

“We will continue to work closely with the National Cyber Security Centre, central Government and colleagues across local government and the wider public sector to play our part in defending public services against the ever-increasing threats of cyber attacks and to help ensure the safety and wellbeing of our residents.”

Alledged stolen files belonging Hackney Council dumped by hackers.

The borough added that understood the “devastating impact” of the attack and said it would continue its efforts to strengthen its security services by implementing new security measures. This induced the implementation of a new 'zero trust' model designed to provide resilience against future ransomware attacks.

“While we do not agree with all the ICO’s findings, the completion of the investigation means we can focus on our ongoing efforts to keep data secure and deliver the vital services that our residents rely on,” said Caroline Woodley, Mayor of Hackney.

“We deeply regret the impact that this senseless criminal attack had on Hackney residents and businesses, and I am grateful to council staff who continued delivering for our communities despite the challenges, and to our residents for their patience while services were impacted.”

‘Avoidable’

In its statement, the ICO acknowledged that, prior to the attack, the council sought to replace its patch management system with a new state-of-the-art system to reduce vulnerabilities

It had originally considered imposing a fine, but due to the positive actions taken by LBoH including recognising potential harms and taking immediate steps to mitigate these harms, the reprimand has been issued instead for the established infringements of UK GDPR.

Despite Hackey Council's swift and positive response, the ICO believes the attack could have been avoided if the council had implemented security defences to protect against the types of attacks that infiltrated its systems in 2020. 

“Whilst nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyber-attacks,” continued Mr Bonner.

Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same.”

“Time and time again, we see breaches that would not have happened if such mistakes were avoided,” he added.