The Information Commissioner’s Office (ICO) has issued a strong reprimand to the London Borough of Hackney for multiple failings that allowed a ransomware attack to occur in October 2020.
The Pysa ransomware gang targeted the Council’s outdated servers and systems, encrypting around 440,000 files and impacting 280,000 residents of Hackney. The ICO’s investigation revealed serious security policy deficiencies at Hackney Council, including a failure to implement proper patch management procedures and neglecting to change an insecure password on a dormant user account that was exploited by the cyber criminals.
Critical services like housing operations were severely affected, with tenants unable to make payments or use various online services. The attack occurred during a period of Covid-19 lockdowns, amplifying the impact on residents. Full service restoration did not occur until 2022.
ICO deputy commissioner Stephen Bonner criticized the Council for allowing such a breach to happen, emphasizing the importance of implementing effective security measures to protect personal data. Mayor Caroline Woodley expressed regret over the attack’s impact and commended council staff for their response.
The ICO also noted that the compromised data included sensitive information falling under protected categories, further emphasizing the severity of the breach. Hackney Council disputed some of the ICO’s findings but pledged to collaborate with cybersecurity authorities to enhance their defenses against future threats.