A council hit by a cyber attack could be forced to answer questions about the IT and security training it gave staff when they were forced to work from home because of the pandemic.
Cyber criminals struck Hackney Council in October 2020, with Pysa, or Mespinoza, ransomware paralysing some of its online services.
Four months later, employees’ and residents’ data was allegedly published on the dark web by hackers who claimed it came from the attack on the London council’s IT systems.
The council said the attack affected “a limited set of data, it has not been published on a widely available public forum, and is not available through search engines on the internet”.
The National Crime Agency is still investigating the attack, as is the National Cyber Security Centre.
Missing data
The attack has cost the council millions of pounds and it is still missing data across many services.
It said the most critical services were Mosaic for social care, Academy for its benefits and revenues, and M3 for planning and land charges and delivering modern digital tools in housing.
Other local authorities have been targeted by hackers. Gloucester Council became the latest victim when it was attacked for the second time in December, when hackers hit services including revenue and benefits and planning.
Salisbury, Copeland and Islington councils were also affected by cyber attacks over the 2017 August bank holiday, when hackers unsuccessfully asked for a bitcoin ransom in return for data.
The attack on Hackney affected benefits data. Some people were unable to perform property searches, which affected some house sales in the east London borough.
Information commissioner to take action
The council now faces action from the information commissioner after refusing to say whether it gave council staff security training when they were required to work from home during the pandemic.
Liberal Democrat campaigner Darren Martin submitted a Freedom of Information request to ask the council what IT security training was given to staff in the two years leading up to the cyber attack.
“If it turns out that the attack that has left our vital services crippled in the borough since 2020 originated from a phishing scam or through somebody working from home, and that it could have been avoided by additional training and security – then the mayor of Hackney and the Labour administration need to take full accountability for that,” said Martin.
Without the security protections that office systems provide, such as firewalls and blacklisted IP addresses, staff working from home could have been vulnerable to phishing emails and cyber attacks, the activist added.
Martin said he wanted Hackney Council to explain whether it offered extra training as more staff were working from home because of the pandemic.
“I asked a simple question on whether important training was given to employees accessing council systems from home, and if releasing that information affects the police investigation, then it is Hackney Council’s duty to adequately explain why,” he said.
“While it is completely understandable that some information cannot be released due to the ongoing nature of the cyber attack and the police investigation, Hackney Council cannot use this as an excuse to stonewall every request for transparency.”
The council said it did not have to answer Martin’s FoI request because of exemptions related to revealing information about the prevention or detection of crime.
Cloud services
Hackney Council said it had “invested heavily in modern technology and cloud-based services – ahead of many other councils”. It said it was not complacent before the attack and is continuing to invest in cyber security.
The authority said it had been “moving away from old-fashioned servers and PCs to cloud-based systems”.
The council’s older systems were hit by a “complex and sophisticated criminal attack on public services”, it added. “The attack on Hackney was part of a rapid increase in serious cyber threats globally, impacting on a large number of high-profile organisations.”
The council said it was “continuing to do everything possible to protect our systems and data, and also to support cyber resilience across the wider local government sector through sharing our learning”.
Risk of contempt
Martin appealed against the council’s action and then took his complaint to the Information Commissioner’s Office (ICO), which sent the council an information order asking it to provide more details about why it had rejected the request.
Public bodies have to respond to an information order within 30 days or risk being in contempt of court.
Follow-up emails from the ICO were met with out-of-office messages and the council did not respond to phone calls from the data watchdog. The issue has now been referred to the ICO’s legal department.
Hackney Council said it is talking to the ICO to carry out its responsibilities regarding Martin’s FoI request.
Its auditor Mazars’ annual auditor’s letter, discussed by the council this year, said: “Work performed by our IT audit and cyber specialists has confirmed that the council had appropriate arrangements in place to either prevent or reduce the likelihood of a cyber security breach.”
The council said it was following improvements recommended by Mazars in a report into the cyber attack which was discussed behind closed doors at a meeting last month.
The authority said it is committed to being as transparent as possible about the attack.
“Unfortunately, we have to be cautious about what information we share,” said a spokesperson. “The criminal investigation into the attack is ongoing and sophisticated criminal groups continue to target all organisations. Even information that might appear low-risk may help criminals to cause further harm to the council and our residents.”