London council accuses watchdog of 'exaggerating' danger of 2020 raid on residents' data

London's inner city district of Hackney says the UK's data protection watchdog has misunderstood and "exaggerated" details surrounding a ransomware attack on its systems in 2020.

During the attack, thieves stole data of 280,000 Hackney residents, council employees and more, and some of the system's backups were deleted after the crooks broke into a server using an insecure password on a dormant account. The attack exposed "deeply personal information" as well as throwing multiple systems used by locals offline for extended periods.

The UK's Information Commissioner's Office (ICO), which imposes punishments on those who flout data protection law, issued the borough Hackney with a reprimand today for the attack, which led to years of technical disruption and millions of pounds in damage.

An ICO reprimand is a formal expression of its disapproval and these have largely replaced the fines in the public sector that many think of when UK General Data Protection Regulation (GDPR) or such legislation is mentioned. It's a change current commissioner John Edwards announced in 2022 and these reprimands, which also contain advisory guidance to organizations, are published publicly to increase transparency over incidents. Fines are now reserved only for the most egregious breaches.

Among the conclusions made by the ICO following an investigation into the 2020 attack, it said Hackney Council had failed to properly implement a patch management system and change an insecure password on a dormant account which was ultimately used to initially gain access to its servers.

The ICO went on to acknowledge that the council was looking into replacing its patch management system with a more robust solution. It also said Hackney's infosec governance, policies, and training of staff were on point, especially during a trying pandemic period.

A spokesperson for the council said today: "While we welcome the ICO completing its investigation, we maintain that the Council has not breached its security obligations. We consider that the ICO has misunderstood the facts and misapplied the law with respect to the issues in question, and has mischaracterized and exaggerated the risk to residents' data."

They went on to say that despite the disagreement with the ICO, the council isn't prepared to use its "limited resources" to challenge the watchdog's ruling, before pointing to other local authorities' breaches and how cybersecurity is a tricky business. 

"While we do not agree with all the ICO's findings, the completion of the investigation means we can focus on our ongoing efforts to keep data secure and deliver the vital services that our residents rely on," said Caroline Woodley, Mayor of Hackney.

"We deeply regret the impact that this senseless criminal attack had on Hackney residents and businesses, and I am grateful to council staff who continued delivering for our communities despite the challenges, and to our residents for their patience while services were impacted."

Facts of the matter

Hackney's cyberattack attracted a great deal of attention back in 2020, at the height of the COVID-19 pandemic, and that attention lingered as new details of the incident were drip-fed to the public over a prolonged period.

The attack was claimed by the now-defunct Pysa ransomware crew, but despite no official council comms mentioning "ransomware", the fact the data was encrypted, stolen, and backups destroyed all suggests ransomware was involved. Deploying a ransomware payload was also part of Pysa's MO at the time, shortly before encryptionless attacks became trendy.

All in all, Pysa was able to encrypt 440,000 files concerning at least 280,000 Hackney locals, staff, and others. The ICO said 9,605 files were stolen by the criminals and these contained data such as race and ethnicity, religious beliefs, sexual orientation, health data, economic data, criminal offense data, and the usual personal information that's often included in data breaches: names, addresses, etc. Hackney acknowledged that the theft of this data "posed a meaningful risk of harm" to 230 individuals.

The attackers also deleted 10 percent of the council's backups before its security professionals stopped the intrusion and stopped the attack from going any further. The damage, however, was already done and many of its systems were down for months. 

Hackney's ability to respond to Freedom of Information Act requests and subject access requests was also impeded for around two years after the attack. Although, cyberattack or not, many local authorities struggled in this regard due to the COVID-19 pandemic.

• Rite Aid admits 2.2 million people’s data stolen by criminals
• I spy another mSpy breach: Millions more stalkerware buyers exposed
• Call, text logs for 110M AT&T customers stolen from compromised cloud storage
• Japanese space agency spotted zero-day attacks while cleaning up raid on M365

Stephen Bonner, deputy commissioner at the ICO, said: "This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents. At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers. Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened.

"Whilst nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyberattacks. Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same. Time and time again, we see breaches that would not have happened if such mistakes were avoided."

Bonner went on to again acknowledge Hackney's swift actions to mitigate the attack and the more robust security measure it now has in place – factors that influenced its decision to skip imposing a fine and instead adopt the ICO's fine-averse public sector approach. ®