‘Lack of proper security’ at Hackney Council led to 2020 cyber attack, UK data watchdog finds
Hackney Council “failed to implement measures” that could have prevented the major cyber attack on its IT systems in 2020, the UK’s data watchdog has ruled.
In a report setting out its findings on the hack, the Information Commissioner’s Office (ICO) said it “found examples of a lack of proper security and processes to protect personal data”.
It concludes that Hackney Council “failed to ensure that a security patch management system was actively applied to all devices, and failed to change an insecure password on a dormant account still connected to Hackney Council servers which was exploited by the attackers”.
The council has strongly refuted the findings, accusing the ICO of “mischaracterising and exaggerating the risk to residents’ data”.
The cyber attack, which occurred in October 2020, saw hackers gain access to and encrypt 440,000 files, affecting at least 280,000 residents and council staff.
The data included information about residents’ racial or ethnic origins, religious beliefs, sexual orientation, health, finances, criminal history, as well as basic identifiers such as names and addresses.
“This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents,” said Stephen Bonner, the ICO’s deputy commissioner.
“This is entirely unacceptable and should not have happened.
“Whilst nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyber attacks.
“Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same.
“Time and time again, we see breaches that would not have happened if such mistakes were avoided.”
Bonner did acknowledge that the council took “swift” action and has made a “number of positive steps” since the attack.
A spokesperson for Hackney Council said: “We maintain that the council has not breached its security obligations.”
They added: “Since 2020, organisations of all sizes in the public and private sector have fallen victim to criminals deploying ever more complex and sophisticated modes of cyber attack.
“We consider that the ICO has misunderstood the facts and misapplied the law with respect to the issues in question and has mischaracterised and exaggerated the risk to residents’ data.”
The spokesperson said “it is not in our residents’ interests to use our limited resources to challenge the ICO’s decision” and that the council will instead “continue to work closely with the National Cyber Security Centre, central government and colleagues across local government and the wider public sector to play our part in defending public services against the ever-increasing threats of cyber attack”.
In a separate statement, Hackney Mayor Caroline Woodley wrote: “We deeply regret the impact that this senseless criminal attack had on Hackney residents and businesses, and I am grateful to council staff who continued delivering for our communities despite the challenges, and to our residents for their patience while services were impacted.”
The cyber attack affected many local services and has cost the Town Hall millions of pounds.