Hackney’s director of information communication technology (ICT) Rob Miller was playing football with his family on a Sunday morning early in October when he got a message letting him know there was a systems outage being investigated at the Town Hall.
By the end of Sunday, the council had moved swiftly to shut down its systems, declared an emergency and notified national agencies after Miller’s team found “clear markers” that the local authority had been hit by a serious cyber attack.
Weeks later, key services at Hackney Council remain paralysed, including its ability to make and receive some forms of payment, and to take applications to join the housing waiting list or council tax reduction scheme. Much of its planning and licensing services are also down for the count.
Miller said: “It’s a bottom falling out of your stomach moment, because of the impact it has on residents. You know that none of these systems are just bits of software. They do things for real human beings, and they deliver services that matter.
“We need to have that self-reflectiveness to say, ‘It has happened, and there will be reasons for that.’ But we have been so serious both about being really focused on the things we need to do to manage what we have, and the shift of paradigm to actually put us in a place that is fundamentally more secure.
“Did we think that we were probably sat on a powder keg, or was it, ‘Oh my gosh, how has that happened?’ It is very much the latter, because we’ve put so much thought into security. But at the end of the day, clearly, there has been a weakness that has been exploited.”
The first thing the Town Hall did when it realised it was under attack was shut itself off from the internet and isolate its data centre, with the process beginning instantly to try to understand the type of attack that had taken place and what can be done to protect the organisation with it having happened.
The council has been able to confirm that while nearly every one of the hundreds of services provided by the Town Hall on a day-to-day basis has been impacted in some way, its cloud-based systems hosted by Google or Amazon, for instance, are unaffected, as well as, fortunately, the systems it uses to directly tackle the pandemic.
According to Miller, huge numbers of Town Hall workers who were retasked to stand up new services for the council, with a housing repairs service operational by the second Monday of the crisis, bringing benefits payments and safeguarding referrals back up and running, and establishing a system to pay for free school meals over the half term.
Miller added: “Things that we weren’t even planning to do before the attack, people have been able to do, often by using the cloud services people have been able to deploy.
“Clearly there are lots of services that are struggling significantly, and I wouldn’t want to put a veneer on that, but the amount of stuff that people have been able to get done because of that teamwork to support our residents is really impressive.”
An investigation is now taking place with the cooperation of multiple organisations, including the National Crime Agency, National Cyber Security Centre and local law enforcement, with the council also moving swiftly to bring in the Information Commissioner’s Office within 36 hours.
While speculation has been rife on the nature of the attack, Town Hall officers remain unable to confirm or deny whether they have experienced a ransomware attack, by which systems can be locked and data held to ransom unless demands have been met.
According to Miller, the risk that residents’ data across multiple systems has been breached is being taken “incredibly seriously,” with the local authority holding multiple different cohorts of information about its residents, including contact information, care details, planning data, and potentially even financial details (though the Town Hall’s payment system is safely run by a third party host).
Miller said: “A council runs so many things, so the span of data that we look after makes it really understandable that residents will be concerned about it. We’re taking it very very seriously. We don’t have evidence that data has been breached, but are putting the mitigations in place that need to be there if it had been.”
The ICT boss added that while it remains “very, very unlikely” that all types of data held by the council on the affected systems have been taken en masse, he accepted that even a small amount of data would be “worrying” for the person to whom it pertained, with the council remaining unable to confirm or deny if data has been lost, what type it could have been, and precisely how many people could have been affected.
Work will now continue by Miller’s team to unpick the impact on services, with most of the hundreds delivered by the council using more than one system.
The council leadership says it has been “proactive” in moving its systems from the 1990s and 2000s paradigm of Windows servers and PCs to cloud-based services, but the older services impacted by the cyber attack still remain.
Miller’s department, HackIT, is now having to establish whether the hundreds of different “micro-businesses” which make up the organisation might need the older part of their systems reestablished to get back to normal, and whether others might just need the process of moving entirely to a more modern system to be accelerated.
However, the impact on the Town Hall remains “significant,” with some systems unaffected, some with mixed affect and some hugely so, with officers still discovering as they go the impact this has had on the day to day business of the local authority.
Meanwhile speculation continues as to the nature of the attack, with IT support company LMS Group’s CEO Luke Mead saying: “Due to the fact that Hackney Council’s systems have been down for so long, this really does sound like a ransomware attack.
“Attacks such as this are absolutely crippling for organisations. Ransomware is getting more sophisticated and these hackers are also using them to steal. Hackers have cottoned on to the fact that locking organisations out of systems won’t gain them much if their victims can resort to a back-up and restore. So now they are also stealing data and threatening to publish it on the dark web, unless a ransom is paid. If an organisation holds lots of very sensitive data then this is a big issue.
“However, these attacks are avoidable and, typically, when I find a company has been hacked, it’s because it hasn’t adhered to proper procedures or it has underinvested in its IT systems.”
Asked if local authorities can increasingly expect to be targeted by such attacks as their role in gathering sensitive data as part of the contact tracing system increases, Miller said: “I’d say probably, yes, and it’s the range of things that councils do, isn’t it.
“If you want to be disruptive – the corollary of councils’ value to our communities is if you can disrupt it, it has a big impact.”
More information on the cyberattack can be found here.
Hackney Council’s standard advice on unsolicited calls can be found below.
There are some occasions when council staff phone residents to discuss payment. If it is a genuine call they will have information to hand and will not require confirmation of details or ask you for any other personal information. If residents have any doubt as to the authenticity of the call, they should take the caller’s name and extension and contact Hackney Council’s switchboard from a different phone to the one they received the call on and ask for that extension number. The signs to look out for are:
- being asked for money and put under pressure to act immediately
- being asked to provide bank account details
- being asked to make a purchase to win a prize
- being asked to contact a premium rate number
- receiving an unsolicited call
- if the caller is reluctant to give their address or contact details
On personal data, residents with any concerns can contact Hackney’s Data Protection Officer, Nicholas Welburn, who can be reached on firstname.lastname@example.org