Council criticised by regulator over cyber attack

13 hours ago

By Aurelia Foster & PA Media, BBC News

Hackney Council did not effectively protect itself from a cyber attack, the regulator said

BBC Hackney Town Hall — Hackney Council did not effectively protect itself from a cyber attack, the regulator said

Hackney Council has been reprimanded by a regulator over a cyber attack which affected at least 288,000 residents and other individuals.

The borough was targeted by hackers in October 2020 when cyber criminals gained access to and encrypted 440,000 files.

An investigation by the Information Commissioner's Office (ICO) has found the council "failed to effectively implement sufficient measures" to protect its systems from attack.

Hackney Council said it disagreed with the ICO's findings and that it did not breach its security obligations.

Files accessed by the criminals included information about religious beliefs, health, criminal records, economic data and sexual orientation.

According to the ICO, more than 9,600 records were stolen from the council's systems, which posed a "meaningful risk of harm" to 230 people.

The data security regulator said the cyber attack also substantially disrupted the council's operations, with some services not returning to normal until 2022.

'Clear and avoidable error'

The ICO found security measures meant to protect systems were not applied to all devices.

The council also failed to change an insecure password on a dormant account that was still connected to its servers, which was exploited by the hackers.

Stephen Bonner, deputy commissioner of the ICO, said it was "an avoidable error" that resulted in a mass loss of data and had a "severely detrimental impact" on many residents.

"At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers.

"Systems people rely on were offline for many months.

"This is entirely unacceptable and should not have happened."

Cyber criminals gained access to and encrypted 440,000 files on Hackney Council's systems in the attack in 2020

PA Media Anon person typing — Cyber criminals gained access to and encrypted 440,000 files on Hackney Council's systems in the attack in 2020

In response, a Hackney Council spokesperson said the council had not breached its security obligations and that the ICO "misunderstood the facts and misapplied the law".

This, the spokesperson said, "mis-characterised and exaggerated" the risk to residents’ data.

The ICO said positive actions taken by the council following the attack, led the watchdog to issue a reprimand rather than a fine.

Mr Bonner said the breach was a learning opportunity for both Hackney and for councils across the country.

He added: "Systems must be updated; you have to take preventative measures to reduce the risk and potential impact of human error; and you must ensure data entrusted to you is protected."

Listen to the best of BBC Radio London on Sounds and follow BBC London on Facebook, X and Instagram. Send your story ideas to [email protected]

Council criticised by regulator over cyber attack

'Clear and avoidable error'

Hackers post Hackney Council's 'stolen documents'

London's Hackney council hit by hack attack

Hackney Council services remain affected by hack

London Borough of Hackney

The Information Commissioner's Office

Hackers steal call records of 'nearly all' AT&T customers

Council 'at mercy of criminal hackers' - report

Fix NHS gaps or face more attacks - ex cyber chief

Cosmetic surgery provider collapses

Coroner 'feared for my family' in kidnap plot

'Chemical incident' at flats hospitalises 10 people

Man in court after men's remains found in cases

Walking through time at the Natural History Museum