London Borough of Hackney reprimanded following cyberattack ICO

pThe ICO exists to empower you through informationppWe have issued the London Borough of Hackney with a reprimand following a cyberattack in 2020 that led to hackers gaining access to and encrypting 440000 files affecting at least 280000 residents and other individuals including staff ppIn October 2020 hackers attacked the London Borough of Hackney LBoH systems accessing encrypting and in some instances exfiltrating records containing personal data The encrypted data included data on residents that revealed their racial or ethnic origin religious beliefs sexual orientation health data economic data criminal offence data and other data including basic personal identifiers such as names and addresses  ppSome of the data which was encrypted was also exfiltrated by the attackers Of those affected records we understand that 9605 records were exfiltrated with the attack being acknowledged by LBoH to have posed a meaningful risk of harm to 230 data subjectsppThe hackers encrypted the data and then deleted 10 of the councils backup before the council managed to intervene The cyberattack also resulted in LBoH systems being disrupted for many months with in some instances services not being back to normal service until 2022 One such instance of this disruption related to LBoHs ability to deal with Freedom of Information requests and subject access requests We received 39 complaints from individuals who had made subject access requests to LBoH between August and October 2020 but had not received an appropriate response ppIn the subsequent investigation into the data breaches we found examples of a lack of proper security and processes to protect personal data LBOH failed to ensure that a security patch management system was actively applied to all devices and failed to change an insecure password on a dormant account still connected to Hackney council servers which was exploited by the attackersppStephen Bonner Deputy Commissioner at the ICOppThis was a clear and avoidable error from London Borough of Hackney one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents At its absolute worst this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers Systems that people rely on were offline for many months This is entirely unacceptable and should not have happenedppWhilst nefarious actors may always exist the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyberattacks Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same Time and time again we see breaches that would not have happened if such mistakes were avoidedppIf we want people to have trust in local authorities they need to trust that local authorities will look after their data properly Hackney residents have learnt the hard way the consequences for these errors councils across the country should act now to ensure that those they are responsible for do not suffer the same fateppThe council took swift and comprehensive action to mitigate the harm of the attack as soon as it learned it had taken place including through their engagement with NCSC and has taken a number of positive steps sinceppThere is a vital learning from this for both Hackney and for councils across the country systems must be updated you have to take preventative measures to reduce the risk and potential impact of human error and you must ensure that data that is entrusted to you is protectedppLBoH took a number of remedial steps following the attack including ensuring all residents were informed of the attack with inperson notifications for those deemed at significant risk promptly engaging with relevant authorities such as the NCSC the NCA and the Metropolitan Police and improving processes  The council now has in place a new zero trust model designed to provide resilience against future ransomware attacksppWe acknowledge that prior to the attack the council sought to replace its patch management system with a new stateoftheart system to reduce vulnerabilities We also commend the councils good governance structures policies improvement plans and training and development of staff as well as acknowledging the impact that the Covid19 pandemic has had on the resources of organisations like local authoritiesppWe had originally considered imposing a fine However due to the positive actions taken by LBoH including recognising potential harms and taking immediate steps to mitigate these harms the public sector approach has been applied and a reprimand has been issued instead for the established infringements of UK GDPRppAction weve takenppPDF 847MBppOur data shows that a growing number of cyber breaches are being reported by the local government sector with over 150 cyber incidents reported in the last year ppPoor information security leaves systems at risk and may cause real harm We want councils across the country to learn from this reprimand and avoid being susceptible to a cyberattack We have taken enforcement action against organisations who have failed toppFor more advice visit our security guidance for organisationsppThe ICO exists to empower you through informationp