Information Commissioner and London borough at loggerheads after council reprimanded for failing to implement measures that could have prevented cyber-attack

The Information Commissioner’s Office (ICO) has issued the London Borough of Hackney with a reprimand following a cyber-attack in 2020, after the regulator found examples of a “lack of proper security and processes” by the council to protect personal data.

In response to the reprimand, Hackney claimed that the ICO had “misunderstood the facts and misapplied the law with respect to the issues in question”.

In October 2020, hackers attacked the council’s systems - accessing, encrypting, and in some instances exfiltrating records containing personal data (the unauthorised transfer of data from a computer or device subject to a cyber-attack).

According to the ICO, hackers gained access to and encrypted 440,000 files, affecting at least 280,000 residents and other individuals including staff.

The encrypted data included data on residents that revealed their racial or ethnic origin, religious beliefs, sexual orientation, health data, economic data, criminal offence data, and other data including basic personal identifiers such as names and addresses, the watchdog noted.

The cyber-attack also resulted in council systems being disrupted for many months with, in some instances, services not being back to normal service until 2022.

Following an investigation into the data breaches, the Commissioner found a “failure to implement measures” that could have prevented the cyber-attack, with examples of a lack of proper security and processes to protect personal data.

It said: “The London Borough of Hackney failed to ensure that a security patch management system was actively applied to all devices, and failed to change an insecure password on a dormant account still connected to Hackney council servers which was exploited by the attackers.”

The watchdog noted that following the attack, the council took a number of “remedial steps”, including ensuring all residents were informed of the attack, with in-person notifications for those deemed at significant risk, promptly engaging with relevant authorities such as the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the Metropolitan Police, and improving processes.

The ICO warned that that a “growing number” of cyber breaches are being reported by the local government sector, with more than 150 cyber incidents reported in the last year.

To avoid being susceptible to a cyber-attack, the regulator reminded organisations to:

• secure external connections without multi-factor authentication
• log and monitor systems, and act when there is unexpected activity
• act on alerts from endpoint protection, such as anti-malware or anti-virus
• use strong passwords on internal accounts or use unique passwords across multiple accounts, or both. This is especially the case for privileged, administrator or service accounts
• mitigate against known vulnerabilities, applying critical patches within 14 days where possible

Stephen Bonner, Deputy Commissioner at the ICO said: “This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents. At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers. Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened.

“Whilst nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyber-attacks. Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same. Time and time again, we see breaches that would not have happened if such mistakes were avoided.”

He continued: “The council took swift and comprehensive action to mitigate the harm of the attack as soon as it learned it had taken place, including through their engagement with NCSC, and has taken a number of positive steps since.

“There is a vital learning from this for both Hackney and for councils across the country – systems must be updated; you have to take preventative measures to reduce the risk and potential impact of human error and you must ensure that data that is entrusted to you is protected.”

A spokesperson for Hackney Council said: “While we welcome the ICO completing its investigation, we maintain that the council has not breached its security obligations. We consider that the ICO has misunderstood the facts and misapplied the law with respect to the issues in question, and has mischaracterised and exaggerated the risk to residents’ data.

“However, we do not believe it is in our residents’ interests to use our limited resources to challenge the ICO’s decision. Instead, we will continue to work closely with the National Cyber Security Centre, central Government and colleagues across local government and the wider public sector to play our part in defending public services against the ever increasing threats of cyberattack and to help ensure the safety and wellbeing of our residents.”

Lottie Winson