The London Borough of Hackney has been reprimanded following the 2020 cyber attack that led to hackers gaining access to and encrypting 440,000 files.

According to the Information Commissioner’s Office (ICO), in the attack, at least 280,000 residents and other individuals including staff were affected when attackers attacked systems - accessing, encrypting, and in some instances exfiltrating records containing personal data.

Encrypted Data

The encrypted data included data on residents that revealed their racial or ethnic origin, religious beliefs, sexual orientation, health data, economic data, criminal offence data, and other data including basic personal identifiers such as names and addresses.

It is also believed that 9,605 records were exfiltrated, with the attack being acknowledged by Hackney Council to have “posed a meaningful risk of harm” to 230 data subjects.

Attackers also deleted ten percent of the council’s backup before the council managed to intervene.

The cyber attack also resulted in Hackney Council's systems being disrupted for many months with some services not being back to normal service until 2022.

Clear and Avoidable

Stephen Bonner, deputy commissioner at the ICO called this a “clear and avoidable error that has resulted in a mass loss of data and has had a severely detrimental impact on many residents.

He said: “At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers. Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened.”

In its subsequent investigation into the data breaches, examples of a lack of proper security and processes to protect personal data were found. This included ensuring a security patch management system was actively applied to all devices, and failing to change an insecure password on a dormant account - still connected to Hackney council servers - which was exploited by the attackers.

Good Governance Structures

The ICO commended Hackney Council’s “good governance structures, policies, improvement plans and training and development of staff” and due to the positive actions taken - including ensuring all residents were informed of the attack, with in-person notifications for those deemed at significant risk, promptly engaging with relevant authorities and improving processes - the ICO said it would not impose a fine.

“If we want people to have trust in local authorities, they need to trust that local authorities will look after their data properly,” Bonner said. “Hackney residents have learnt the hard way the consequences for these errors – councils across the country should act now to ensure that those they are responsible for do not suffer the same fate.

“The council took swift and comprehensive action to mitigate the harm of the attack as soon as it learned it had taken place, including through their engagement with NCSC, and has taken a number of positive steps since.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.