The failure of Copeland Borough Council to submit audited accounts for its final four years of business has been blamed on a ransomware attack that occurred in 2017. Former council bosses claim that this attack led to accounting troubles and a lack of adequate cyber security measures. Auditors from Grant Thornton criticized Copeland for hiring non-specialist IT staff to address the attack, as well as for rebuilding critical IT systems on outdated equipment. They highlighted a lack of understanding of the risks faced due to weaknesses in the IT control environment.
The financial repercussions of the ransomware attack have been significant, with a discrepancy of at least £8m identified in Copeland’s books. This has contributed to a shortfall of nearly £30m in the newly established Cumberland authority. The auditors from Grant Thornton described Copeland’s finances as “a sea of red”, indicating long-term failings in the management of the council’s accounts. It was also noted that management was unable to fully explain the costs associated with the cyber attack and subsequent response, citing poor record-keeping and staff turnover.
Questions remain regarding the adequacy of Cumbria’s cyber defense systems and overall IT governance, especially in light of reports questioning the vulnerabilities of Sellafield’s cyber security regime. Cumberland Council has taken steps to address these issues since its establishment in April 2023, including developing an interim emergency plan and undertaking extensive work to ensure compliance with government cyber security standards.
The council has acknowledged the strategic risk of cyber attacks in the current geopolitical climate and has taken steps to modernize and replace infrastructure in line with best practices. However, concerns remain about potential cyber threats posed by China and other hostile state actors. Sellafield has been contacted for comment on these issues.