English council spent £1.1 million recovering from ransomware attack

Gloucester City Council in the West Midlands of England was forced to spend more than £1.1 million ($1.39 million) to recover from a ransomware attack in December 2021, according to the published agenda of a council meeting that took place on Monday.

The meeting followed the council receiving a formal reprimand by the Information Commissioner’s Office (ICO) for failing to prevent a cybersecurity incident that was discovered just before Christmas.

A data breach notification previously published on the council’s website said “information containing personal details of residents and members of the public … was taken in a sophisticated cyber-attack by a cyber-criminal group.”

The “sophisticated cyber-attack” was a spearphishing email, according to the published agenda, which detailed costs including bringing in specialist security consultants and software to aid the recovery, replacing key equipment, and the council migrating all of its IT systems to cloud hosting. Of the total, £250,000 ($315,000) was covered by grants from the government.

The ICO’s reprimand highlighted several failures, including the lack of a "security information and event management (SIEM) system" and failing to prevent the ransomware attacker tampering with the council’s logs, which allows them to erase “crucial evidence” and hindered both the investigation and remediation of the incident.

The lack of a SIEM “significantly restricted Gloucester City Council’s ability to effectively monitor and respond to security incidents, detect anomalous activities, and identify potential threats.”

Although the council had backup systems in place, these “were not utilised” as the council instead opted for a “full rebuild” of its systems “which significantly impacted the timeline for recovery of access to personal data.”

Part of the ICO’s reprimand regarded how the council failed to “restore access to personal data, or the systems that stored personal data, in a timely manner,” and that it was “unable to determine the data subjects at risk of harm from the incident in order to notify them.”

These were all considered breaches of the U.K.’s General Data Protection Regulations, and they come with a potential fine of to up to 4% of the organization’s global turnover.

But the ICO opted for a reprimand, noting at mitigation that council did have backups in place and that the “initial attack vector for this incident was a phishing email received from a legitimate third-party email address” rather than a specific vulnerability that the council should have fixed ahead of time.

The ICO also noted that — although they were not considered adequate — there were "some systems in place for gathering and reviewing logs.”

The attack on Gloucester City Council back in December 2021 has been followed by many more impacting organizations in Britain. Ransomware attacks have been on the surge since 2020, according to the ICO’s data, and not only hit record numbers last year but look set to do so again in 2023.

There have been almost as many incidents affecting organizations in Britain in just the first half of this year as there were during the entirety of 2021 — including 64 attacks on local government within just six months, more than the 60 incidents in total that had been recorded in the three years previously.