Hackney Council in wrangle with UK data watchdog after refusing to answer questions on 2020 cyber attack
Hackney Council is at risk of falling foul of the government’s data watchdog over the multi-million pound cyber attack in October 2020 that hit many of its services.
It comes after it refused to answer questions including if it gave staff extra training on cyber security when they had to work from home and, if it did, whether or not everyone completed it.
In a Freedom of Information (FoI) request, local Liberal Democrat campaigner Darren Martin also wanted to know what training council staff had in the two years before the hack.
Martin said he hoped “to raise awareness and help prevent future cyber attacks”.
The Town Hall failed to respond when he asked for an internal review after his FoI request was refused.
He took his complaint to the Information Commissioner’s Office (ICO), which served an information order on the council last November because it did not “give a substantive reason” for its refusal.
The council had one month to respond and because it had still not replied to emails or phone calls from the ICO, the issue was referred to its legal department.
According to documents seen by the Citizen, the ICO received automated responses stating the council was busy.
If an authority does not respond to an information order, it can be treated as contempt of court.
Martin said: “Working from home is widely noted as increasing the risk of cyber attacks without the security protections that office systems provide, such as firewalls and blacklisted IP addresses.”
He added: “The most obvious risk is that most tasks are conducted online and emails, attachments, cloud documents and third-party services are all vulnerable to cyber criminals.”
The cyber attack hit many council departments, including housing and benefits, and people were unable to do property searches, which stalled some house sales.
The following spring, people claiming to be responsible for the hack published what they say was the stolen data on the dark web in an attempt to raise a ransom from the council.
Now, more than a year on from the attack, many departments are still missing data.
Hackney Council said it did not have to give Martin details about its cyber security training, citing an exemption about the prevention or detection of crime.
The ICO is now considering whether to take further action to compel the council to provide more detail.
Martin said he understood there are some issues which cannot be disclosed but the council should give “substantive reasons why not”.
The Town Hall said it is in contact with the ICO.
A spokeswoman said: “Hackney Council is following up with the ICO to ensure that we fulfil our responsibilities regarding this Freedom of Information request.”
She explained: “The criminal cyber attack on the council’s systems in October 2020 has had significant impacts on the council and our residents.
“The attack on Hackney was part of a rapid increase in serious cyber threats globally, impacting on a large number of high profile organisations.”
The council is “continuing to do everything possible to protect our systems and data, and also to support cyber resilience across the wider local government sector through sharing our learning,” she added.
The council said it is taking a cautious approach over the details it is sharing, but is “committed to being as transparent as possible”.
The spokeswoman went on: “The criminal investigation into the attack is ongoing and sophisticated criminal groups continue to target all organisations. Even information that might appear low-risk may help criminals to cause further harm to the council and our residents.”
The council said an audit carried out by Mazars before the October 2020 attack concluded: “The council had appropriate arrangements in place to either prevent or reduce the likelihood of a cyber security breach.”
A separate report that was discussed behind closed doors at a recent audit committee pinpointed, according to the council spokeswoman, “potential improvement to the arrangements in place” that has “been agreed with the council and is being implemented”.