A London council has been blasted by authorities after a cyber attack saw residents’ “deeply personal information” stolen by hackers.
Cyber criminals targeted Hackney town hall in October 2020. They gained access to 440,000 files, affecting at least 280,000 residents and members of staff.
The hackers encrypted the data and then deleted 10 per cent of the borough’s backup files before the council managed to intervene.
The Information Commissioner's Office (ICO) on Wednesday said its investigation found the council "failed to effectively implement sufficient measures" to protect its systems.
Deputy Commissioner at the ICO Stephen Bonner said: “This was a clear and avoidable error from Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents.
"At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers.
"Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened.
“Whilst nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyber-attacks.”
Personal information relating to religious beliefs, health, criminal records, economic data and details of sexual orientation, among other personal identifiers, was accessed by the criminals.
The cyber-attack resulted in Hackney’s systems being disrupted for many months, with some services not being fully operation until 2022.
The council said it believes the ICO had "exaggerated" the risk to residents, but confirmed that the town hall would not be challenging the findings of the investigation.
Following the attack, the ICO said the borough took a number of remedial steps, including ensuring all residents were aware of the incident and promptly engaging with the relevant authorities.
Mr Bonner added: "Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same.
"If we want people to have trust in local authorities, they need to trust that local authorities will look after their data properly. Hackney residents have learnt the hard way the consequences for these errors – councils across the country should act now to ensure that those they are responsible for do not suffer the same fate.
“The council took swift and comprehensive action to mitigate the harm of the attack as soon as it learned it had taken place, including through their engagement with NCSC, and has taken a number of positive steps since.
“There is a vital learning from this for both Hackney and for councils across the country – systems must be updated."
The hackers exploited a dormant account and inadequately applied security patches to gain access to Hackney’s systems, the ICO investigation revealed.
Some of the data which was encrypted was also exfiltrated by the attackers. The ICO found 9,605 encrypted records were exfiltrated, with the attack posing “a meaningful risk of harm” to 230 individuals.
Mayor of Hackney Caroline Woodley said: "This was a deplorable attack by sophisticated, organised cyber criminals, coming at a time when we were responding to the first wave of the Covid pandemic.
"While we do not agree with all the ICO’s findings, the completion of the investigation means we can focus on our ongoing efforts to keep data secure and deliver the vital services that our residents rely on.”
A council spokesman added: "We maintain that the Council has not breached its security obligations. We consider that the ICO has misunderstood the facts and misapplied the law with respect to the issues in question, and has mischaracterised and exaggerated the risk to residents’ data.
"However, we do not believe it is in our residents’ interests to use our limited resources to challenge the ICO’s decision.
“Instead, we will continue to work closely with the National Cyber Security Centre, central Government and colleagues across local government and the wider public sector to play our part in defending public services against the ever increasing threats of cyberattack and to help ensure the safety and wellbeing of our residents."