At least 280,000 residents of London's trendy Hackney borough were affected by a cyberattack in 2020 when bad actors gained access to the local council's systems and encrypted 440,000 files.
Regulators said the attack was a result of the “failure to implement measures” that could have prevented the incident.
Hackers exploited a dormant account and “inadequately applied security patches” to gain access to the council’s systems, according to the Information Commissioner’s Office (ICO).
“This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents,” said Stephen Bonner, deputy commissioner at the ICO.
Some of the “most deeply personal information possible” ended up in the hands of the attackers, Bonner said, adding that “systems that people rely on were offline for many months.”
“This is entirely unacceptable and should not have happened. Whilst nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyberattacks,” he said.
Hackney Council said it “welcomed” the end of the ICO investigation but did not agree with the conclusion that it had breached its security obligations. It said the regulators had “misunderstood the facts and misapplied the law” and “mischaracterized and exaggerated” the risk to residents’ data.
While disagreeing with the findings, the council would not challenge the ICO’s decision due to “limited resources.”
“This was a deplorable attack by sophisticated, organized cybercriminals, coming at a time when we were responding to the first wave of the COVID pandemic,” Hackney Mayor Caroline Woodley said.
Woodley added: “We deeply regret the impact that this senseless criminal attack had on Hackney residents and businesses.”
According to the ICO, hackers attacked the London Borough of Hackney systems in October 2020, accessing, encrypting, and, in some instances, exfiltrating records containing personal data.
The encrypted data included data on the residents’ racial or ethnic origin, religious beliefs, and sexual orientation, as well as health data, economic data, criminal offense data, and other information including names and addresses.
According to the ICO, 9,605 records were exfiltrated, with council authorities acknowledging that it posed “a meaningful risk of harm” to 230 data subjects.
The cybercriminals encrypted the data and then deleted 10% of the council’s backup before the local authorities managed to intervene. Some council services were not back to normal until 2022 as a result of the attack.
Your email address will not be published. Required fields are markedmarked