The Information Commissioner’s Office (ICO) has issued a damning verdict on the London Borough of Hackney’s (LBoH) cybersecurity practices following a 2020 ransomware attack that exposed the personal data of at least 280,000 residents. The privacy watchdog did not impose any fines, but the Hackney Council has been reprimanded for the catastrophic incident that was “avoidable.”
The breach, attributed to the Pysa ransomware gang, highlights the devastating consequences of lax security protocols and underscores the importance of robust patch management and access controls.
The 2020 Hackney Council Ransomware Incident
The attack unfolded through a series of critical security lapses. A dormant account with a username and password – both set to “kiosk” – remained active for eight years, providing a backdoor for attackers. This vulnerability was compounded by a failure to apply a critical Microsoft security patch for a bug tracked as CVE-2020-0787 that had been readily available since March 2020. The attackers exploited this unpatched system to gain elevated privileges and access the council’s network.
In October 2020, using the elevated privileges, the attacker accessed servers and devices within the LBoH network and encrypted its data. Data encryption is a known attack methodology of ransomware attackers.
The attacker was able to encrypt LBoH’s on-premises environment that included 125 servers running Microsoft server operating systems and approximately 1,000 VDI desktop instances running Microsoft client OS. Overall, 440,000 files containing data of 280,000 resident of Hackney and their staff was encrypted.
The breach wasn’t limited to data encryption. The attacker also accessed the LBoH’s backup and initiated a deletion process of the data. The deletion process was identified and stopped by the engineers responding to the attack but not before 10% of the data was lost.
The attackers also managed to exfiltrate a subset of the compromised data, further jeopardizing the privacy of 9,605 individuals. The ICO investigation revealed that this data included highly sensitive categories such as racial or ethnic origin, religious beliefs, sexual orientation, and health information.
While LBoH took steps to mitigate the damage and improve security posture post-breach, the ICO emphasized that these efforts came too late. Stephen Bonner, Deputy Commissioner of the ICO, stated, “This was a clear and avoidable error… This is entirely unacceptable and should not have happened.”
“Whilst nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyber-attacks. Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same. Time and time again, we see breaches that would not have happened if such mistakes were avoided.”
– Stephen Bonner, Deputy Commissioner of the ICO
Hackney Council Reprimanded, Not Fined; Why?
The ICO opted for a reprimand instead of a fine due to LBoH’s remedial actions. Bonner said the council took swift and comprehensive action to mitigate the harm of the attack as soon as it became aware of the incident, engaged with NCSC, the NCA and the Metropolitan Police, and took a number of remedial steps since the incident.
These steps included breach notifications to all residents, in-person notifications for those deemed at significant risk, and improved cybersecurity with a new “zero trust” model designed to provide resilience against future ransomware attacks.
The council had also sought to replace its patch management system with a new state-of-the-art system to reduce vulnerabilities, but the ransomware attack took place before that.
“We commend the council’s good governance structures, policies, improvement plans and training and development of staff, as well as acknowledging the impact that the Covid-19 pandemic has had on the resources of organisations like local authorities… the public sector approach has been applied and a reprimand has been issued instead for the established infringements of UK GDPR,” the ICO said.
Council Says Breach “Mischaracterised and Exaggerated”
The Hackney Council welcomed the ICO investigation completion, but maintained that the Council has not breached its security obligations.
“We consider that the ICO has misunderstood the facts and misapplied the law with respect to the issues in question, and has mischaracterised and exaggerated the risk to residents’ data.” – Hackney Council
Citing “limited resources” available to challenge the ICO’s decision, the Council said it will instead continue to work closely with the relevant authorities and the wider public sector to defend public services against cyberattacks and ensure the safety and wellbeing of its citizens.
Modern IT systems are extremely complex and cyber threats continue to grow. Since 2020, organisations of all sizes in the public and private sector have fallen victim to criminals deploying ever more complex and sophisticated modes of cyberattack. To meet this rapidly changing threat, we have been investing and rebuilding our systems to further accelerate the delivery of our strategy of using the most modern and secure systems possible,” the Hackney Council said.
“This was a deplorable attack by sophisticated, organised cyber criminals, coming at a time when we were responding to the first wave of the covid pandemic,” said Caroline Woodley, Mayor of Hackney. “While we do not agree with all the ICO’s findings, the completion of the investigation means we can focus on our ongoing efforts to keep data secure and deliver the vital services that our residents rely on.”
The incident serves as a reminder for local authorities and organizations handling sensitive data. Patch management, proper access control practices, and vigilant monitoring are fundamental to preventing such catastrophic breaches.
The ramifications of the Hackney breach extend beyond financial penalties. The potential for identity theft, discrimination, and reputational damage for affected individuals underscores the importance of prioritizing cybersecurity even at a local governance level. In light of the ransomware attack on local London hospitals last month that has led to the cancellation of more than 8,000 surgeries and appointments, this seems to be more important than ever.
