Data watchdog reprimands Hackney Council over cyber attack

A man's arms, with hands on a laptop keyboard Credit: PA Wire/PA Images

The UK’s data protection regulator has issued a reprimand to the London Borough of Hackney over its handling of a cyber attack.

The Information Commissioner’s Office (ICO) said the council had “failed to effectively implement sufficient measures” to protect its systems from attack.

The borough was targeted by hackers in October 2020 in an attack which saw cyber criminals gain access to and encrypt 440,000 files, affecting at least 280,000 residents and other individuals. It included personal information related to religious beliefs, health, criminal records, economic data and details of sexual orientation, among other personal identifiers.

According to the ICO, more than 9,600 records were exfiltrated from the council’s systems, which posed a “meaningful risk of harm” to 230 people.

The ICO said the cyber attack also substantially disrupted the council’s operations, with some services not returning to normal until 2022.

In its investigation into the breach, the data protection regulator found security patches had not been properly applied to all devices, and the council had failed to change an insecure password on a dormant account that was still connected to its servers, which was exploited by the hackers.

Stephen Bonner, deputy commissioner of the ICO, said: “This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents.

“At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers.

“Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened.

“Whilst nefarious actors may always exist, the council failed to effectively implement

sufficient measures that could have better protected their systems and data from cyber attacks.

“Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same. Time and time again, we see breaches that would not have happened if such mistakes were avoided.

“If we want people to have trust in local authorities, they need to trust that local authorities will look after their data properly.

“Hackney residents have learnt the hard way the consequences for these errors – councils across the country should act now to ensure that those they are responsible for do not suffer the same fate.”

Following the attack, the ICO said the borough took a number of remedial steps, including ensuring all residents were aware of the incident and promptly engaging with the relevant authorities.

The regulator also acknowledged the council had sought to update its security patch management system prior to the attack, the impact of the Covid-19 pandemic on the council’s staff and resources, and it commended the borough for its good governance structures.

It said because of this and the positive actions taken by Hackney council to mitigate harm, a reprimand has been issued rather than a fine.

“The council took swift and comprehensive action to mitigate the harm of the attack as soon as it learned it had taken place, including through their engagement with NCSC (The National Cyber Security Centre), and has taken a number of positive steps since,” Mr Bonner said.

“There is a vital learning from this for both Hackney and for councils across the country – systems must be updated; you have to take preventative measures to reduce the risk and potential impact of human error, and you must ensure that data that is entrusted to you is protected.”


Want a quick and expert briefing on the biggest news stories? Listen to our latest podcasts to find out What You Need To Know…