Brian Sims
Editor
Brian Sims
Editor
THE INFORMATION Commissioner’s Office (ICO) has issued the London Borough of Hackney with a reprimand following a cyber attack four years ago that led to hackers gaining access to (and encrypting) no fewer than 440,000 files, in turn impacting at least 280,000 residents and other individuals, among them members of the London Borough’s staff.
In October 2020, hackers attacked the London Borough of Hackney’s systems, subsequently accessing, encrypting and, in some instances, exfiltrating records containing personal data. The encrypted data included data on residents that revealed their racial or ethnic origin, religious beliefs, sexual orientation, health data, economic data, criminal offence data and other details including basic personal identifiers such as names and addresses.
Some of the data encrypted was also exfiltrated by the attackers. Of those affected records, the ICO understands that 9,605 records were exfiltrated, with the attack being acknowledged by the London Borough of Hackney to have “posed a meaningful risk of harm” to some 230 data subjects.
The hackers encrypted the data and then deleted 10% of the council’s back-up before the organisation managed to intervene. The cyber attack also resulted in London Borough of Hackney systems being disrupted for many months with, in some instances, services not being back to normal until 2022.
One such instance of this disruption related to the London Borough of Hackney’s ability to deal with Freedom of Information requests and subject access requests. The ICO received 39 complaints from individuals who had made subject access requests to the London Borough of Hackney between August and October 2020, but had not received an appropriate response.
In the subsequent investigation into the data breaches, the ICO found examples of a lack of proper security and processes to protect personal data. The London Borough of Hackney failed to ensure that a security patch management system was actively applied to all devices, and also failed to change an insecure password on a dormant account still connected to Hackney Council servers, which was duly exploited by the attackers.
“Clear and avoidable error”
Stephen Bonner, deputy Information Commissioner at the ICO, explained: “This was a clear and avoidable error from the London Borough of Hackney and one that has resulted in a mass loss of data, duly having a severely detrimental impact on many residents. At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers. Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened.”
Bonner continued: “While nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected its systems and data from cyber attacks. Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same. Time and time again, we see breaches that would not have happened if such mistakes were avoided.”
Further, Bonner commented: “If we want people to have trust in local authorities, they need to trust that local authorities will look after their data properly. Hackney’s residents have learned the hard way the consequences for these errors. Councils across the country should act now to ensure that those under their care and management don’t suffer the same fate.”
The London Borough of Hackney took swift and comprehensive action to mitigate the harm of the attack as soon as it learned of the episode, including through its engagement with the National Cyber Security Centre (NCSC), and has taken a number of positive steps since.
“There is a vital learning from this episode for both Hackney and councils across the country,” urged Bonner. “Systems must be updated. You have to take preventative measures to reduce the risk and potential impact of human error and you must ensure that data entrusted to you is protected.”
Remedial measures
As referenced, the London Borough of Hackney initiated a number of remedial steps following the attack, including ensuring that all residents were informed of the attack, with in-person notifications for those deemed to be at significant risk.
In addition, there was prompt engagement with relevant authorities such as the NCSC, the National Crime Agency and the Metropolitan Police Service. The London Borough of Hackney now has in place a new ‘zero trust’ model designed to provide resilience against future ransomware attacks.
The ICO acknowledges that, prior to the attack, the council sought to replace its patch management system with a new state-of-the-art system designed to reduce vulnerabilities. The ICO also commends the council’s good governance structures, policies, improvement plans and training and development of staff, as well as acknowledging the impact that the COVID-19 pandemic has had on the resources of organisations like local authorities.
Originally, the ICO had considered imposing a fine. However, due to the positive actions taken by the London Borough of Hackney (including the recognition of potential harms and taking immediate steps to mitigate these harms), the public sector approach has been applied and a reprimand has been issued instead for the established infringements of the UK’s GDPR.
Cyber advice for councils
ICO data shows that a growing number of cyber breaches are being reported by the local Government sector, with upwards of 150 episodes reported in the last year alone.
Poor information security leaves systems at risk and may cause real harm. The ICO wants councils across the country to learn lessons from this reprimand and avoid being susceptible to a cyber attack.
For clarity, the ICO has taken enforcement action against organisations who’ve failed to:
*secure external connections without multi-factor authentication
*log and monitor systems and act when there is unexpected activity
*act on alerts from endpoint protection, such as anti-malware or anti-virus (this includes when there has been successful removal of malware)
*use strong passwords on internal accounts or use unique passwords across multiple accounts or both (this is especially the case for privileged, administrator or service accounts)
*mitigate known vulnerabilities, applying critical patches within 14 days where possible
*Further information is available online by visiting the ICO’s security guidance pages for organisations