Council cyber attack data published on dark web as Hackney Mayor apologises for ‘worry and upset’

Hackney Town Hall.

Data stolen in a serious cyber attack on Hackney Council has been published on the dark web, it has been revealed.

The attack left multiple systems at the Town Hall paralysed and even affected the local property market, with speculation rife that it had been carried out through ransomware, which prevents access to a target computer system or data unless the attacker is paid by the victim.

The Town Hall has refused to confirm the nature of the attack since it took place in October, but now images published by Sky News appear to show screenshots of material made available through the use of ransomware tool Pysa/Mespinoza, with filenames shown including terms such as Staff Data, Passports, Complaints Community Safety, and Tenancy Audits.

Cyber security expert Luke Mead, CEO of IT company LMS Group, said: “Going back to when it happened, it was evidently clear that it was a ransomware attack. It’s not a first that this has happened, in cyber criminals threatening or going forward and publishing information on the dark web.

“I believe it will set a precedent moving forward – cyber crime is most definitely developing. My perception from an outside point of view would be that what has happened here is that the cyber criminals have run their ransomware attack, have held the council to extortion to say they demand a ransom to unlock the encrypted files or systems.

“My gut feeling would be that the council have said ‘No’, we’re not paying the ransom, at which point they have said ‘OK, we will publish this information on the dark web unless you pay us’. One would assume either that payment hasn’t gone ahead, or it has and nonetheless they still move forward.

“Nowadays information and data is really worth more than gold and oil. With someone’s identification you can take out credit in their name and that person can fall victim of identity theft without them knowing.

“It is pretty widespread knowledge that many local authorities are not up to date with IT best practice. Given that Hackney has fallen foul here, it is a big red flag for local authorities.

“If you are aiming for low-hanging fruit, would I hack a bank to take money, or take the easy route by hacking a local authority and thereby have a wider chance of obtaining funds from individuals?”

Experts supporting the council in their investigation are of the belief that what has been published is a limited set of data, pointing also to the fact that it has not been published on a widely available public forum and is not visible on internet search engines.

The council were unable to comment on whether they have received any communications from the criminals due to the ongoing investigation, or to confirm whether the images of the file names published by Sky News showing titles such as Tenancy Audit Scans were an accurate reflection of their contents.

Tenancy audits are surveys of residents to establish whether a council home is being looked after correctly, or if the property is being sublet.

Councils use survey forms during the audits to collect identification, demographic information, a household’s composition, contact details, income, and benefits. Identification provided can include utility bills, bank statements, passports, birth certificates, driving licences, or letters from government departments.

In accounts of other attacks on French local authorities using Pysa outlined by the Agence Nationale de la Securite des Systemes d’Information, standard messages were received by victims stating: “To get all your data back contact us.” One showed an offer of a free decryption of two files as proof of good faith.

Anti-malware advice published by NHS Digital on Pysa says that the tool was first observed in October 2019, and defines it as a “human-operated ransom tool created by an as yet unidentified advanced persistent threat group”.

The council has not revealed any details as to how the attack took place, but it is understood that it can potentially either be distributed through so-called ‘brute-force’ attacks, in which an attacker tries all possible passwords and phrases for a system, or through spam or phishing email campaigns.

Hackney Mayor Philip Glanville said: “It is utterly deplorable that organised criminals chose last year to deliberately attack Hackney, damaging services and stealing from our borough, our staff, and our residents in this way, and all while we were in the middle of responding to a global pandemic.

“Now, four months on, at the start of a new year and as we are all responding to the second wave, they have decided to compound that attack and now release stolen data. Working with our partners we will do everything we can to help bring them to justice.

“I fully understand and share the concern of residents and staff about any risk to their personal data, and we are working as quickly as possible with our partners to assess the data and take action, including informing people who are affected.

“While we believe this publication will not directly affect the vast majority of Hackney’s residents and businesses, that can feel like cold comfort, and we are sorry for the worry and upset this will cause them.

“We are already working closely with the police and other partners to assess any immediate actions we need to take, and will share further information about the additional action we will be taking as soon as we can.”

A council spokesperson added: “Council staff are working closely with the National Cyber Security Centre, National Crime Agency (NCA), Information Commissioner’s Office (ICO), the Metropolitan Police and other experts to investigate what has been published and take immediate action where necessary.

“At this stage, it appears that the vast majority of the sensitive or personal information held by the council is unaffected, but the council and its partners are reviewing the data carefully and will support anyone directly affected.”

An ICO spokesperson said: ”People have the right to expect that their personal information is handled securely by any organisation. When this isn’t the case, it can cause real distress – especially if it is sensitive information.

“We received a data breach report from the London Borough of Hackney in 2020, and our investigation is continuing. If anyone is concerned about their personal information they should contact the council first, if they are not satisfied, they can bring their concerns to us.”

An NCA spokesperson said: “We are aware that information has been published online as a result of a cyber incident affecting Hackney Borough Council. NCA officers are working closely with the council and the Metropolitan Police Service to manage any risk.”

You can read the ICO guidance on what to do if your identity is stolen here.

If you’re concerned about your data, Hackney’s Data Protection Officer is Nicholas Welburn, who can be reached on nicholas.dataprotection@hackney.gov.uk