A London Council has been reprimanded for cybersecurity failings that led to a data breach affecting at least 280,000 residents.
The UK’s Information Commissioner’s Office (ICO) said its investigation into the 2020 ransomware incident, highlighted a lack of proper security and processes to protect personal data at the London Borough of Hackney (LBoH).
This included failing to ensure that a security patch management system was actively applied to all devices, and not changing an insecure password on a dormant account still connected to Hackney Council servers which was exploited by the attackers.
In the October 2020 attack, threat actors infiltrated LBoH computer systems and accessed, encrypted and exfiltrated records containing personal data.
This included highly sensitive information on residents’ racial or ethnic origin, religious beliefs, sexual orientation, health data, economic data and criminal offence data. In addition, personally identifiable information (PII) such as names and addresses were accessed in the attack, which was traced to the Pysa/Mespinoza ransomware group.
Nearly 10,000 records are believed to have been exfiltrated by the attackers, with LBoH acknowledging a “meaningful risk of harm” to 230 data subjects.
The incident also caused huge disruption to local services, including land searches for property transactions, business rate and council tax payments, and disbursement of COVID support and energy rebate funds.
It was reported that LBoH was forced to spend over £12m ($15.6m) in recovery costs as a result of the attack.
Stephen Bonner, Deputy Commissioner at the ICO, commented: “This was a clear and avoidable error from LBoH, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents.”
“At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers. Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened.”
Read more: Leicester Council Confirms Confidential Documents Leaked in Ransomware Attack
Responding to the reprimand, an LBoH spokesperson said the authority contested the ICO’s conclusion that it failed in its cybersecurity obligations to residents.
“While we welcome the ICO completing its investigation, we maintain that the Council has not breached its security obligations. We consider that the ICO has misunderstood the facts and misapplied the law with respect to the issues in question, and has mischaracterized and exaggerated the risk to residents’ data,” the spokesperson said.
LBoH added that it will not be challenging the ICO’s ruling, citing “limited resources.”
The ICO revealed it had considered imposing a fine on LBoH for the security failings, but instead chose to issue a reprimand in line with its policy of minimizing financial penalties on public sector organizations due to its potential negative impact on public services.
Hackney Council’s Response Praised
The data protection regulator also praised the Council’s response to the incident, including ensuring all residents were informed of the attack, with in-person notifications for those deemed at significant risk. It also noted that the LBoH promptly engaged with relevant authorities, such as the National Cyber Security Centre (NCSC) and National Crime Agency (NCA).
Additionally, the ICO acknowledged that the Council has now implemented a zero trust model of security, and prior to the incident, had sought to replace its patch management system with a new state-of-the-art system to reduce vulnerabilities.
LBoH was also commended for its good governance structure, improvement plans and security training and development of staff.
Bonner said: “There is a vital learning from this for both Hackney and for councils across the country – systems must be updated; you have to take preventative measures to reduce the risk and potential impact of human error and you must ensure that data that is entrusted to you is protected.”
Image credit: cktravels.com / Shutterstock.com