A clear and avoidable error from London Borough of Hackney, has resulted in a mass loss of data, the data protection watchdog has complained as part of a reprimand of the north London council. This comes after a ransomware attack in autumn 2020 that led to hackers gaining access (through an account dormant since 2012) to and encrypting 440,000 files, affecting at least 280,000 residents and others including staff, according to the Information Commissioner’s Office (ICO).
In October 2020, hackers attacked Hackney systems – accessing, encrypting, and in some instances exfiltrating records containing personal data. The encrypted data included data on residents that revealed their racial or ethnic origin, religious beliefs, sexual orientation, health data, economic data, criminal offence data, and other data including basic personal identifiers such as names and addresses. Some of the data which was encrypted was also exfiltrated by the attackers. Of those affected records, according to the ICO, 9,605 records were exfiltrated, with the attack being acknowledged by LBoH to have โposed a meaningful risk of harmโ to 230 data subjects.
Stephen Bonner, Deputy Commissioner at the ICO, said: “At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers. Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened.
“Whilst nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyber-attacks. Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same. Time and time again, we see breaches that would not have happened if such mistakes were avoided.
“If we want people to have trust in local authorities, they need to trust that local authorities will look after their data properly. Hackney residents have learnt the hard way the consequences for these errors โ councils across the country should act now to ensure that those they are responsible for do not suffer the same fate.
“The council took swift and comprehensive action to mitigate the harm of the attack as soon as it learned it had taken place, including through their engagement with NCSC, and has taken a number of positive steps since. There is a vital learning from this for both Hackney and for councils across the country โ systems must be updated; you have to take preventative measures to reduce the risk and potential impact of human error and you must ensure that data that is entrusted to you is protected.”
Reprimand
As for outcome, the ICO said that it considered imposing a fine. However, due to the council recognising potential harms and taking immediate steps to mitigate these harms, the public sector approach has been applied, whereby public bodies don’t get fined.
Hackney view
A spokesperson for Hackney council maintained that the council had not breached its security obligations. “We consider that the ICO has misunderstood the facts and misapplied the law with respect to the issues in question, and has mischaracterised and exaggerated the risk to residentsโ data.
“However, we do not believe it is in our residentsโ interests to use our limited resources to challenge the ICOโs decision. Instead, we will continue to work closely with the National Cyber Security Centre, central Government and colleagues across local government and the wider public sector to play our part in defending public services against the ever increasing threats of cyberattack and to help ensure the safety and wellbeing of our residents.
“Modern IT systems are extremely complex and cyber threats continue to grow. Since 2020, organisations of all sizes in the public and private sector have fallen victim to criminals deploying ever more complex and sophisticated modes of cyberattack. To meet this rapidly changing threat, we have been investing and rebuilding our systems to further accelerate the delivery of our strategy of using the most modern and secure systems possible.”
Hackney isolated its systems from the internet on October 11, 2020, thereby removing the threat of further exploitation of its systems’, the ICO noted. When the attack came, the council had begun (but not completed) to reduce its use of Microsoft Windows devices, to reduce its Windows-related vulnerabilities. Had a relevant patch been applied as available for some months, the attacker would not have got privileged access, the ICO argued.
The cyber-attack resulted in council systems being disrupted for many months and, in some instances, services not back to normal until 2022. One disruption related to the councilโs ability to deal with Freedom of Information (FoI) requests and subject access requests. The ICO received 39 complaints from people who had made subject access requests to Hackney between August and October 2020 but had not received an appropriate response.
The ICO says that it found examples of a lack of proper security and processes to protect personal data. Hackney failed to ensure that a security patch management system was actively applied to all devices, and failed to change an insecure password on a dormant account still connected to Hackney council servers, which was exploited by the attackers.
Background
For another example of a cyber attack on local government, see the Gloucester City Council case; and a case study on the LGA website.
