Hack me – I’m Hackney

Last October, Hackney Council in London suffered a major cyber-attack, which took many of its customer-facing services offline.  Three months on, many of those are still not available.  The council has been coy about exactly what happened, but has just released a statement telling Hackney residents that some of the data which was stolen in the data breach has now been released by the hackers.

Their latest email newsletter states that “Hackney Council has been made aware that data stolen in October’s cyberattack has been published by the organised criminals responsible for the attack. The experts supporting the Council believe that this is a limited set of data, it has not been published on a widely available public forum, and is not visible through search engines on the Internet.”

A number of media outlets have published screenshots of the files available, which suggest that they do contain personal data, with names such as passportsdumppart1.zip.  It also makes it obvious that this was a ransomware attack, (something the council had not admitted), where the attackers have followed up on the attack by releasing stolen files.

It is every IT worker’s nightmare that they are going to receive a call saying the system is down and it looks like a cyber-attack.  Equally, they should all be aware that they need to put as much security and training in place to prevent an attack, along with a recovery plan that lets them bring everything back up in the shortest possible time.  In this case, it seems that both were lacking.  The council has worked wonders to get services back up and running, particularly as they were dealing with the pandemic at the same time, but services like property searches have suffered, with the result that house sales are falling through in the borough, resulting in house prices falling, against the trend for the rest of London.

Teiss, in a report published last year, claimed that since 2017 there have been 17 successful cyber attacks on local councils in the UK.  The damage can be devastating. A similar attack on New Orleans, which is only a bit bigger than Hackney, occurred in December 2019 and cost them around £6m and the best part of a year to clear up.

Whilst councils need to do all they can to prevent attacks, disaster recovery is equally important; to try to reduce the downtime to days or weeks, as opposed to months or a year.  In most cases, disaster recovery means modernisation, which means serious amounts of money.  Around 80% of New Orleans’ cost went into updating their systems.

There has been no lack of warnings and advice from the Government, security advisers and commercial companies, but not much obvious financial support.  It is thought that many victims still don‘t report attacks to the Information Commissioner’s Office, (the law requires a breach to be reported within 72 hours of its discovery), because that kicks off the GDPR infringement process, typically leading to a fine, which can be up to £17.5 million or 4% of the total annual worldwide turnover of a company in the preceding financial year.

It’s a stick which is aimed at prevention, and has typically been promoted as a deterrent. British Airways were fined £183 million (later reduced to £20 million) for leaking the personal information of 500,000 customers; Ticket Master £1.2 million for leaking those of 40,000 customers.  With a budget for 2020/21 of £1.155 billion and a population of 280,000, a simple pair of pro-rata calculations suggests that if it were levied, Hackney could be facing a fine of somewhere between £12 million and £46 million.   But that helps nobody – council don’t need penalties, they need help.  Simply coping with the pandemic is expected to cost Hackney around £71 million as a result of additional costs and lost income.  Given New Orleans’ experience, the attack on Hackney will probably cost around £10 million to fix.  Adding any fine on top of that would be sheer stupidity.  New Orleans did have cyber-attack insurance, which helped defray the cost for them.  Hackney council has not said whether it does or not, which rather suggests it doesn’t.

The point here is that whilst the big GDPR stick may motivate companies to address the danger and costs of hacking, it’s not a very useful tool for persuading cash-strapped councils and Government departments to do the right thing.  There are 343 local authorities in the UK, all of which are potentially at risk.  If each is attacked and needs to spend £10 million on recovery, that’s almost £3.5 billion, before you count the chaos of disrupted services.

The pandemic is diverting attention for very good reasons, but that raises the risk of cyber-attacks, as focus may shift elsewhere.  In the same way that health experts are warning that non-Covid deaths are rising because routine treatments are not happening, either because hospitals are busy or patients are afraid to attend, so we may be giving criminals an easier opportunity as IT focus and money follows the pandemic.  Short of catching cyber criminals, which is a long-term international effort, the best deterrent is probably funding disaster recovery, as a council that would only be minimally disrupted is not likely to be a good target for ransomware.  Instead, we see IT funds being poured into ill-conceived plans like the track and trace fiasco, which has eaten up around £20 million and diverted attention from the everyday security needs of local Government organisations.

Hackney may just have been unlucky, possibly because the name is a bit of a temptation.  However, there is a lesson that Government needs to learn from this – to make sure that more resources are made available, otherwise it will happen again.  And again, and again.  GDPR fines may act as a motivator for the commercial world; local councils that are already strapped for cash need a better IT carrot if they are going to keep our data safe.