The serious cyber attack on Hackney Council last October is likely to cost the borough around £10m, according to Mayor Philip Glanville.
The attack by organised criminals rendered key financial and operational systems inaccessible and paralysed several council services, including its ability to make and receive payments and take applications for its housing waiting list.
It forced the borough to make changes to its planning processes, saw stolen resident data published on the dark web, and even froze the local property market after land searches became impossible.
While the latest budget being debated this year keeps in reserve £2m for the cost of the attack, this amount, according to the borough leader in a recent interview, represents only an “initial downpayment” on the type of investment needed to recover.
The council is understood to be bringing forward a similar level of investment to the £10.4m it has cost Redcar Council to recover from an attack on its systems in February 2020.
Glanville said: “This was not an attack that took place on a council that was unaware of these issues and making the sorts of investment we would need to have stable and secure systems to support our services and residents.
“In terms of getting to that Redcar figure, we are making some assumptions here in the budget about the amounts of money we would need to spend immediately and doing that longer term analysis of what we would need to spend over the next couple of years.
“It may well be shifting around existing resources that we would have spent on these systems and platforms anyway. The Redcar figure is in the broad envelope of what we are exploring.
“What we don’t have is a publicly facing figure at this stage, as that work is ongoing, but you would not be far off if you were thinking that that was roughly the type of investment that we need to make.”
The council has made clear that it typically spends £3m a year in capital invesment in its tech, with the response to the attack expected to bring forward three years’ worth of such investment, while stressing that this could be a “moving picture” due to the complicated nature of the work.
Access has now been restored to the council’s finance system, but according to the budget other systems in revenues and housing remain either “inaccessible or partly inaccessible”.
The report adds that the longer this situation remains, the greater the backlog in bringing records up to date, with a potentially “adverse impact” to be seen in this area in 2021/22.
Glanville added: “What we are doing some deep analysis of is looking at some of the systems that will have needed replacing anyway and bringing forward that investment.
“So if we were about to upgrade our housing system in a year or so’s time, investing in it early is a cost of cyber as we’re bringing forward that investment, but there would have been some assumptions either on a capital or revenue side of replacing that system or upgrading it anyway. So these are not just new costs.
“It shows that complexity of rebuilding services. The bit that the resident sees, the financial transaction, the phone call to the council wanting some information – the platforms that provide all of that are often hidden but are obviously very well known to us now and need to be properly rebuilt to support those teams and the services they provide our residents.
“That work is very actively ongoing and there is a system by system process.”
Following the publication of data by the criminals who perpetrated the attack, the Town Hall stressed that the “vast majority” of the sensitive and personal information held by the council was unaffected.
Anti-malware advice published by NHS Digital on Pysa, the tool used to mount the attack, says that it was first observed in October 2019, and defines it as a “human-operated ransom tool created by an as yet unidentified advanced persistent threat group”.
The council has not revealed any details as to how the attack took place, but it is understood that it can potentially either be distributed through so-called ‘brute-force’ attacks, in which an attacker tries all possible passwords and phrases for a system, or through a spam or phishing email campaign.
You can read the ICO guidance on what to do if your identity is stolen here.
If you’re concerned about your data, Hackney’s Data Protection Officer is Nicholas Welburn, who can be reached on firstname.lastname@example.org