Threat of another cyber attack still ‘very significant’, council warns

The ICO said the 2020 attack was the result of a ‘clear and avoidable error’. Image: Adobe Stock

Hackney Council has said the threat of another cyber attack remains “very significant”, despite efforts to transform its systems in light of the notorious 2020 hack.

At last week’s meeting of the audit committee, councillors examined the Town Hall’s updated risk register, which outlines financial and other vulnerabilities the borough is facing.

Mr Michael Sheffield, the borough’s corporate audit chief, told the council that progress and performance were “on track”, though some third-party organisations the council deals are still lacking in their ability to manage risk.

But while the latest report downgrades the official ‘threat’ score of a potential cyber attack, it also lays out plainly the the perils posed by evolving techniques and “attack models by criminal and state threat actors”.

Pointing to other large and public organisations that have fallen victim to ransomware incidents, including the Post Office, the BBC and the NHS system provider,  these increasingly sophisticated methods present “direct risks” to council’s internal and external systems.

Alongside these are the “ongoing” danger of stolen data (‘exfiltration’), while emerging technologies like artificial intelligence (AI) also need “careful monitoring”, the report states.

However, the Town Hall assures its service systems have been revamped following the hack, with a more segmented and separated design to “reduce the scale of impact”, leading to the lower risk score.

Other safety measures the council is adopting include switching to “the most modern cloud-based system possible”, a move it says was planned since before the cyber attack.

There will also be strict guidelines issued around the use of AI, and the Town Hall says it is prioritising working with the Ministry of Housing, Communities and Local Government to develop a ‘Cyber Assessment Framework’ (CAF) for local authorities.

In October 2020, the council’s ICT systems were ravaged by cyber criminals in an attack that has since played havoc with operations, including housing, planning and land charges.

The Citizen revealed in December that the borough was still paying hundreds of thousands more than planned to address the impact.

Last year, the Information Commissioner’s Office (ICO) condemned the council for a “clear and avoidable error” which left the Town Hall vulnerable to the mass data loss, causing “a severely detrimental impact on many residents”.

At the time, a council spokesperson pushed back on the watchdog’s conclusions, saying the ICO had “misunderstood the facts and misapplied the law”.

The local authority says it continues to “cooperate closely” with the regulator to support its investigation into the attack.

Earlier this month, the Citizen also reported that the council had finished procuring a new “off-the-shelf” housing management system that will be implemented in phases this year.

During the committee meeting, Cllr Ian Rathbone (Lea Bridge) voiced his confusion over the attack’s lingering aftermath, alluding to the Citizen‘s report.

“I found it quite alarming that after four years we’re still saying we’re suffering from the cyber attack,” he told director of climate, homes and economy Rickardo Hyatt.

“Obviously there were still going to be some after effects, but surely this is a major item of what we do,” Rathbone said.

“Are we saying that our problems identified in the last year or two, such as backlogs of repairs, are to do with the fact that we are still suffering from that cyber attack?”

Mr Hyatt, who joined the council directorate in 2022, confirmed that housing services were more severely affected by the hack.

However, he explained that the local authority was already eyeing a new system before the pandemic, but Covid-19 then saw the borough’s repairs backlog soar to 7,000 cases.

Combined with the ransomware attack, this created a “perfect storm”, he said.

The council’s decision to purchase a new “off-the-shelf” housing system was first announced in 2023.

Hyatt added that the “integrated” software solution chosen was rubber-stamped by the cabinet insourcing and procurement committee last year.

Cllr Anna Lynch used her privilege as audit committee chair to bemoan the fact that officials were being forced to read accounts of Town Hall cybersecurity in the media.

“I wish all members to be notified if there’s going to be external press reports,” she said.

“I’m tired of hearing about Hackney or being sent links about issues with [the council] without us being given any briefings around it.”