Hackney Council in London reprimanded for failing to prevent ransomware attack

Britain’s data protection regulator, the Information Commissioner’s Office (ICO), has reprimanded Hackney Council in London for failing to prevent a ransomware attack.

The local authority for the borough in east London — home to just under 300,000 people — was severely impacted by the incident in October 2020 during the COVID-19 pandemic.

The ICO’s investigation into how the council handled the attack “found examples of a lack of proper security and processes to protect personal data” that resulted in residents’ personal information being published on the ransomware group’s darknet extortion site.

The lack of security and processes included the council forgetting to deploy a security patch management system, as well as failing “to change an insecure password on a dormant account still connected to Hackney council servers which was exploited by the attackers.”

In the end, the attack by the Pysa/Mespinoza ransomware group saw the hackers encrypt more than 400,000 files throughout the council’s IT estate and leave some services disrupted for almost two years.

During this period residents were widely left uninformed about the scale of the disruption to public services and about whether their personal data had been compromised.

The ICO said that “9,605 records were exfiltrated” and in the cases of 230 people these stolen details “posed a meaningful risk of harm” to the individuals affected.

“This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents,” stated Stephen Bonner, the ICO’s deputy commissioner.

“At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers. Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened,” said Bonner.

It comes as the ICO works through a backlog of fines and reprimands that were not published during the UK’s recent election campaign in-line with sensitivity rules about political impartiality.

Although organizations in the United Kingdom can face a fine of up to 4% of their global turnover for the most severe data protection failings, the ICO has for the last two years trialed only rarely issuing fines against public sector organizations as these fines “do not impact shareholders or individual directors in the same way as they do in the private sector.”

The two-year trial is not being reviewed, although the ICO said it “will continue to apply this approach to our regulatory activities in relation to public sector organizations” until that review is completed in the autumn.

In the case of Hackney Council, the ICO said it had “originally considered imposing a fine” but had instead issued a reprimand, partially due to “positive actions” taken by the council to mitigate potential harms caused by the incident.

Responding to the reprimand, Hackney Council disputed the ICO’s criticisms, saying it had not breached it security obligations and arguing the regulator “misunderstood the facts and misapplied the law with respect to the issues in question, and has mischaracterised and exaggerated the risk to residents’ data.”

The authority’s spokesperson said “we do not believe it is in our residents’ interests to use our limited resources to challenge the ICO’s decision.”