Leicester City Council confirms ransomware attack after confidential documents leaked

Leicester City Council in England has confirmed that last month’s cyber incident was a ransomware attack after being made aware that the criminals behind the incident had uploaded stolen documents to their dark web extortion site.

INC Ransom had claimed to be behind the attack earlier this week, prompting Leicester’s strategic director, Richard Sword, to confirm on Wednesday “that a small number of documents held on our servers have been published by a known ransomware group.”

According to Sword, INC Ransom “is known to have attacked a number of government, education and healthcare organisations,” and published “around 25 or so confidential documents.”

These “include rent statements, applications to purchase council housing and identification documents such as passport information.”

The council had not initially warned locals that the attack may have involved criminals stealing their data. Sword said the breach of confidential information was a very serious matter and the publication of the documents was a criminal act.

People in Leicester have been warned that if they are approached by anyone claiming to be in possession of data relating to them, they should report this to Leicestershire Police using the non-emergency call service 101 or an online form.

“We realise this will cause anxiety for those affected, and want to apologise for any distress caused,” said Sword.

“At this stage we are not able to say with certainty whether other documents have been extracted from our systems, however we believe it is very possible that they have.”

The council said that most of its systems and phone lines are now operating normally following the decision to shut everything down on March 7 when the attack was detected.

Several of the local authority’s critical services were disrupted by the attack, forcing the council to publish several emergency numbers on its website as workarounds for people needing to contact the affected services, which included its child protection, adult social care safeguarding, and homelessness departments.

Disruptive cyberattacks affecting local authorities have surged according to the most recent data security incident trends released by the Information Commissioner’s Office, with 67 ransomware attacks recorded in the first three quarters of 2023 compared to 13 during the whole of 2022.

INC Ransom has also claimed to be behind an attack on NHS Dumfries and Galloway, part of the Scottish healthcare system. The criminals have published sensitive patient data as part of its extortion efforts against the local health board.