Town Hall ‘still working to recover data’ more than a year after ‘devastating’ cyber attack

An audit committee report described the October 2020 hack as ‘severe and complex’

The “devastating” cyber attack on Hackney Council has exacerbated the “flexibility and resilience” of its finances, councillors have been told.

Cyber criminals struck in October 2020, when the Town Hall was already coping with the impact of the pandemic, and the following January saw data published in the dark web.

File names including ‘Tenancy Audits’ and ‘Complaints Community Safety’ were among the material allegedly published, but council bosses stressed that the stolen data was not “a big cache of bank and credit card details”.

The hack, which could cost the council £10m, affected multiple services and left key data missing. It is being investigated by the National Crime Agency.

The council’s audit committee this week discussed a specially commissioned report by its auditors Mazars, but did it behind closed doors.

That decision was challenged by the Citizen because of the public interest in the attack, which saw staff and residents’ data exposed.

The council cited legislation and said it could not talk about the £10,085 report in public because it included “information relating to any action taken or to be taken in connection with the prevention, investigation or prosecution of crime”.

Committee chair Nick Sharman said: “This is  one of the most devastating attacks that we’ve received. It’s had a harmful effect both on the council’s operations and on residents and we certainly want to share as much informstion as is possible.”

He said the council will look at what it can make public.

In a public report, finance and corporate resources director Ian Williams said:  “Following work performed by Mazars IT audit team, in response to the cyber attack on the council, Mazars have concluded that they are satisfied that in all significant respects, the council had put in place proper arrangements to secure economy, efficiency and effectiveness in its use of resources for the year ended 31 March 2020.”

Cllr Sharman told the meeting: “I am sensitive to the points raised by the objections.”

During the public part of the meeting, during which council finances were discussed, risk officers said the attack is still causing problems with housing  services.

Housing director Steve Waddington explained that the loss of the housing benefit system in the attack means no new tenants have had their benefits assessed since August 2021.

They have prioritised getting people who are homeless or in temporary accommodation “through the system first”.

The council is tracking the impact.

Waddington said the attack also meant that data was lost for “a high number of cases” of people whose benefits were processed between July and October 2020 – in the run-up to the cyber attack .

“We anticipate the impact of the housing benefit and universal credit owed to the housing revenue account is around £2m to £2.5m, which will ultimately be credited to individual accounts,” he said.

The council is also working to rebuild its IT system, which assesses arrears – currently at £14.8m.

“I cannot underestimate the impact of not having that arrears system in place because we’re not able to accurately determine when we want to take enforcement action, progress to court without that system in place,” said Waddington.

Ajman Ali, the council’s neighhourhoods and housing group director, described how the hack forced staff to go back to “pen and paper”.

He said:  “The cyber [attack] has had a really big impact on neighbourhood and housing services.”

He explained that it hit planning, business and regulatory services, and “more significantly housing services which is very IT-reliant”.

He added: “You probably won’t believe when I say that staff had actually gone to pen and paper and I’ve been down in the council, down at the depot, piles and piles of A4 paper on staff desks actually putting down job tickets and waiting to put them down onto the computer system.”

In its audit of the council’s finances, Mazars added risks to the collections fund, housing revenue account and housing benefit spending because of the attack.

The council said the incident has exacerbated the “flexibility and resilience” of its financial position, alongside Covid.

Over a year on, social services “do not yet have access to the full set of
functions required to operate normally”, although “core data” was recovered.

It has also meant revenue and benefits are still tackling a backlog.

The council said it is still working to recover data. It said the most critical services affected are social care, benefits and revenues, planning and land charges and housing.

A report for the audit committee said: “In all cases progress has been made, but due to the severe and complex nature of the attack there is still further work needed to fully recover services.”

Williams said: “When the attack was discovered in October 2020, immediate work was carried out to isolate the council’s internally hosted systems and network and to notify the national leads for cyber security.

“However, risks remain that recovery work may introduce new vulnerabilities or reintroduce vulnerabilities which existed at the time of the attack or retain elements of the attack which could be reused in future.”

His report added: “Risks remain relating to the data stolen and published to the
dark web in January 2021.”