Hackney Council Reprimanded For ‘Avoidable’ Data Breach
Exposed passwords and incompetent patch management exposed the sensitive data of 280,000 residents
Mihir Bagwe July 17, 2024
Share on LinkedInShare on Twitter
The Information Commissioner’s Office (ICO) has issued a damning verdict on the London Borough of Hackney’s (LBoH) cybersecurity practices following a 2020 ransomware attack that exposed the personal data of at least 280,000 residents. The privacy watchdog did not impose any fines, but the Hackney Council has been reprimanded for the catastrophic incident that was “avoidable.”
The breach, attributed to the Pysa ransomware gang, highlights the devastating consequences of lax security protocols and underscores the importance of robust patch management and access controls.
The 2020 Hackney Council Ransomware Incident
The attack unfolded through a series of critical security lapses. A dormant account with a username and password – both set to “kiosk” – remained active for eight years, providing a backdoor for attackers. This vulnerability was compounded by a failure to apply a critical Microsoft security patch for a bug tracked as CVE-2020-0787 that had been readily available since March 2020. The attackers exploited this unpatched system to gain elevated privileges and access the council’s network.
In October 2020, using the elevated privileges, the attacker accessed servers and devices within the LBoH network and encrypted its data. Data encryption is a known attack methodology of ransomware attackers.
The attacker was able to encrypt LBoH’s on-premises environment that included 125 servers running Microsoft server operating systems and approximately 1,000 VDI desktop instances running Microsoft client OS. Overall, 440,000 files containing data of 280,000 resident of Hackney and their staff was encrypted.
The breach wasn’t limited to data encryption. The attacker also accessed the LBoH’s backup and initiated a deletion process of the data. The deletion process was identified and stopped by the engineers responding to the attack but not before 10% of the data was lost.
The attackers also managed to exfiltrate a subset of the compromised data, further jeopardizing the privacy of 9,605 individuals. The ICO investigation revealed that this data included highly sensitive categories such as racial or ethnic origin, religious beliefs, sexual orientation, and health information.
While LBoH took steps to mitigate the damage and improve security posture post-breach, the ICO emphasized that these efforts came too late. Stephen Bonner, Deputy Commissioner of the ICO, stated, “This was a clear and avoidable error… This is entirely unacceptable and should not have happened.”
“Whilst nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyber-attacks. Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same. Time and time again, we see breaches that would not have happened if such mistakes were avoided.”
– Stephen Bonner, Deputy Commissioner of the ICO
Hackney Council Reprimanded, Not Fined; Why?
The ICO opted for a reprimand instead of a fine due to LBoH’s remedial actions. Bonner said the council took swift and comprehensive action to mitigate the harm of the attack as soon as it became aware of the incident, engaged with NCSC, the NCA and the Metropolitan Police, and took a number of remedial steps since the incident.
These steps included breach notifications to all residents, in-person notifications for those deemed at significant risk, and improved cybersecurity with a new “zero trust” model designed to provide resilience against future ransomware attacks.
The council had also sought to replace its patch management system with a new state-of-the-art system to reduce vulnerabilities, but the ransomware attack took place before that.
“We commend the council’s good governance structures, policies, improvement plans and training and development of staff, as well as acknowledging the impact that the Covid-19 pandemic has had on the resources of organisations like local authorities… the public sector approach has been applied and a reprimand has been issued instead for the established infringements of UK GDPR,” the ICO said.
The incident serves as a reminder for local authorities and organizations handling sensitive data. Patch management, proper access control practices, and vigilant monitoring are fundamental to preventing such catastrophic breaches.
The ramifications of the Hackney breach extend beyond financial penalties. The potential for identity theft, discrimination, and reputational damage for affected individuals underscores the importance of prioritizing cybersecurity even at a local governance level. In light of the ransomware attack on local London hospitals last month that has led to the cancellation of more than 8,000 surgeries and appointments, this seems to be more important than ever.
