Council criticised by regulator over cyber attack

Hackney Town Hall
Image caption,

Hackney Council did not effectively protect itself from a cyber attack, the regulator said

  • Published

Hackney Council has been reprimanded by a regulator over a cyber attack which affected at least 288,000 residents and other individuals.

The borough was targeted by hackers in October 2020 when cyber criminals gained access to and encrypted 440,000 files.

An investigation by the Information Commissioner's Office (ICO) has found the council "failed to effectively implement sufficient measures" to protect its systems from attack.

Hackney Council said it disagreed with the ICO's findings and that it did not breach its security obligations.

Files accessed by the criminals included information about religious beliefs, health, criminal records, economic data and sexual orientation.

According to the ICO, more than 9,600 records were stolen from the council's systems, which posed a "meaningful risk of harm" to 230 people.

The data security regulator said the cyber attack also substantially disrupted the council's operations, with some services not returning to normal until 2022.

'Clear and avoidable error'

The ICO found security measures meant to protect systems were not applied to all devices.

The council also failed to change an insecure password on a dormant account that was still connected to its servers, which was exploited by the hackers.

Stephen Bonner, deputy commissioner of the ICO, said it was "an avoidable error" that resulted in a mass loss of data and had a "severely detrimental impact" on many residents.

"At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers.

"Systems people rely on were offline for many months.

"This is entirely unacceptable and should not have happened."

Image source, PA Media
Image caption,

Cyber criminals gained access to and encrypted 440,000 files on Hackney Council's systems in the attack in 2020

In response, a Hackney Council spokesperson said the council had not breached its security obligations and that the ICO "misunderstood the facts and misapplied the law".

This, the spokesperson said, "mis-characterised and exaggerated" the risk to residents’ data.

The ICO said positive actions taken by the council following the attack, led the watchdog to issue a reprimand rather than a fine.

Mr Bonner said the breach was a learning opportunity for both Hackney and for councils across the country.

He added: "Systems must be updated; you have to take preventative measures to reduce the risk and potential impact of human error; and you must ensure data entrusted to you is protected."

Listen to the best of BBC Radio London on Sounds and follow BBC London on Facebook, external, X, external and Instagram, external. Send your story ideas to hello.bbclondon@bbc.co.uk, external

Related topics