Ransomware attack? Hackney Council in London admits it has been the target of a ‘serious’ cyberattack and urges people not to contact it unless urgent
Cyber criminals have once again targetted the IT systems of a local council, after Hackney Council in London admitted it has suffered a serious cyberattack.
“We have been subject to a serious cyberattack, which is affecting many of our services and IT systems,” the local council tweeted. “We’re working with @NCSC and experts to investigate, and will provide updates as we get them. Please avoid contacting us unless absolutely necessary.”
Other local councils in the UK have been hit before. In February this year IT systems at Redcar and Cleveland Borough Council were crippled for over three weeks, forcing staff to use to pen and paper, and which cost it at least £10m.
Prior to that in 2016, Lincolnshire County Council also had to use pen and paper after a malware attack.
But it seems as though Hackney Council has managed to keep its main website online, after it posted a notice on Tuesday about the incident, by Philip Glanville, Mayor of Hackney.
“Hackney Council has been the target of a serious cyberattack, which is affecting many of our services and IT systems,” Glanville noted. “Council officers have been working closely with the National Cyber Security Centre, external experts and the Ministry of Housing, Communities and Local Government to investigate and understand the impact of the incident.”
“This investigation is at an early stage, and limited information is currently available,” he said. “We will continue to provide updates as our investigation progresses.”
“Our focus is on continuing to deliver essential frontline services, especially to our most vulnerable residents, and protecting data, while restoring affected services as soon as possible,” he added. “In the meantime, some Council services may be unavailable or slower than normal, and our call centre is extremely busy. We ask that residents and businesses only contact us if absolutely necessary, and to bear with us while we seek to resolve these issues.”
It is not clear at this stage what form of attack has occurred, but the finger of suspicion will be pointed firmly at a ransomware attack.
One security professional noted that global pandemics seem to matter nought to online criminals.
“At a time when local councils are spending much of their time focused on issues relating to Covid-19, the last thing that they need is the stress that a cyber attack brings,” said Stuart Reed, UK Director Orange Cyberdefense.
“Unfortunately cyber criminals will often prey on organisations that they know are under pressure, and while details of this particular incident have yet to be revealed, since the outbreak of the pandemic we have seen numerous examples of hackers capitalising on the crisis by using social engineering attacks to trick their way into corporate systems,” said Reed.
“The fact that so many employees have been working from home has increased the risk of social engineering – an increased dependence on ‘virtual’ communications like email, video conferencing and calls, renders users more vulnerable to social engineering attacks,” Reed added.
“Technical countermeasures against phishing attempts and detecting malicious activities today are much more robust than they have been in the past,” said Reed. “The human, on the other hand, is more complex and hard to predict in certain scenarios while easy to manipulate in others.”
Another expert noted the large impact a cyberattack can reap on public sector organisations.
“The ongoing and increasing number of attacks on public sector organisations continues to give cybersecurity professionals, at all levels, a cause for concern,” said Dr Francis Gaffney, director of threat intelligence at Mimecast.
“ Although an attack on private sector organisations can have significant consequences, there are few sectors that have the potential to impact as many lives, in as many ways, as the public sector,” said Dr Gaffney. “The public sector is an attractive target to threat actors, as the size and scope of many public sector organisations means they are often responsible for securing particularly sensitive personal data for millions of people.”
“This attack on a local authority, particularly during a pandemic when many citizens are turning to their local authority for help and guidance, highlights just how wide the socio-economic blast radius of a cyber-attack on a public sector entity can be,” said Dr Gaffney.
Another expert warned of possible hefty financial penalties if people’s data has been compromised.
“This attack should come as no surprise. Public sector organisations have long been a prolific hunting ground for hackers,” said John Hurst, head of public sector at CyberArk. “Of all the ICO fines for data breaches handed out since 2010, 54 percent have actually been levied against public sector bodies, with local councils specifically accounting for 30 fines.”
“GDPR-inflicted fines and the direct practical effects of a cyber attack, including having to resort to offline functions, are not the only after-effects Hackney Council should expect,” said Hurst, highlighting the similarities between this attack and the recent attack on Redcar and Cleveland Borough Council.
“That attack reminded us that there are more negative outcomes of an attack than the financial repercussions of disrupted service and the likely GDPR fine,” said Hurst. “Compensation must be paid to victims of the breach where appropriate, which can prove costly if a large amount of data is involved, and investing in IT auditors to investigate such incidents can be expensive. If the attack is particularly damaging, certain situations may even call for a third party to come in and clear up the mess left behind by the attackers, leaving councils with a significant bill to pay. They need to get security right, particularly at a time when trust in public services is so critical.”