Hackney Council issues urgent communication amid ‘critical’ cyber threat risk
Hackney Council is not currently thought to be affected. Image: Google
Hackney Council has raised its cyber threat level to ‘critical’ after multiple London local authorities reported attacks this week.
Westminster City Council, the Royal Borough of Kensington and Chelsea and Hammersmith and Fulham Council say they are working ‘closely together’ to restore IT services after a ‘serious cybersecurity incident’ was reported on Monday (24 November).
While the council has confirmed it is not affected, staff were sent an urgent communication on the morning of Tuesday, 25 November, warning them to be wary of phishing and social engineering attack methods.
A missive seen by the Local Democracy Reporting Service (LDRS) and shared with the Citizen said: We have received intelligence that multiple London councils have been targeted by cyber-attacks within the last 24-48 hours, with potential disruption to systems and services.
“We are escalating our internal cyber threat level to critical. Your immediate cooperation is essential to protect the council and the data of our residents.”
Among other precautions, staff were urged not to verify unusual requests, open suspicious emails or click on unusual links.
Hackney Council was hit by a separate major cyber attack in October 2020, allowing hackers to access and encrypt 440,000 files.
The attack disrupted many of the council’s services, some of which did not return to normal until 2022. At least 280,000 residents were affected, as well as Hackney Council staff – and 230 people were deemed to be at “meaningful risk of harm” as a result of the breach, according to Join the Claim.
The Information Commissioner’s Office (ICO) last year said the authority was ‘not without blame’ and found “examples of a lack of proper security and processes to protect personal data” following the incident.
The regulator’s deputy commissioner, Stephen Bonner, said the breach was the result of a ‘clear and avoidable error’ by the council.
In December of last year, the LDRS reported the council had spent hundreds of thousands of pounds more than expected to deal with the fallout from the cyber attack. The Citizen previously reported the aftermath cost the Town Hall more than £12million in 2021.
On 17 December, the local authority signed a contract for a new housing management system which, it said, was then implemented in January.
The team said: “This follows a thorough review of available options, and negotiations to secure the best value for money for Hackney.”
There is no suggestion that the two attacks are linked.
A Westminster City Council told the Citizen: “We know a number of systems are impacted across both organisations, including phone-lines. We are diverting more resources to manage this incident and monitor emails and phone lines, and the councils have invoked business continuity and emergency plans to ensure we are still delivering critical services to residents, focusing on supporting the most vulnerable.
“We are asking residents if they need to report an immediate emergency issue, please call 020 7641 6000 for the general line or 0800 358 3783 for Housing.
“Today we are letting partners and residents know what has happened, we are informing the Information Commissioners’ Office, in line with following all the relevant protocols. We don’t have all the answers yet, as the management of this incident is still ongoing. But we know people will have concerns, so we will be updating residents and partners further over the coming days.
“At this stage it is too early to say who did this, and why, but we are investigating to see if any data has been compromised – which is standard practice. Our IT teams worked through the night yesterday and a number of successful mitigations were put in place, and we remain vigilant should there be any further incidents or issues.
“We apologise to residents for any inconvenience, and thank them for being flexible and understanding, people may see some delays in responses and the services we provide over the coming days. We will continue working with our cyber specialists and the NCSC to restore all systems as quickly as possible, and we will be in touch with more information as it becomes available. If there are any further changes to services, we endeavour to keep everyone updated.”
A Kensington and Chelsea Council spokesperson added: “Kensington and Chelsea Council and Westminster City Council are responding to a cyber incident affecting some shared IT systems. We identified the issue quickly on Monday (24 November) and are working with cyber specialists and the National Cyber Security Centre to protect data and restore services.
“Some systems, including phone lines, are disrupted. If you need to contact Kensington and Chelsea Council, please use the phone numbers at the top of www.rbkc.gov.uk/contact-us/call-or-email-us. We’ve activated business continuity and emergency plans to ensure we are still delivering critical services to residents, focusing on supporting the most vulnerable.
“We are investigating the cause of the incident and will provide more information when it is available. We would like to apologise for any disruption and thank residents for their patience as we work to bring systems back online safely.”
Mayor of London, Sadiq Khan, said he was unaware of the attack when contacted by the LDRS but addd City Hall is helping councils build better cyber resilience through the London Office of Technology and Innovation, the national cyber security agency and the National Crime Agency.
He said: “We are trying to encourage councils to have better resilience but the reality is, I’m afraid, those who breach protections are going to try more and more ways to get into those systems. We’re going to make sure we’re resilient, that means making sure we have the right safeguards in place.”
A Met Police spokesperson told the LDRS: “Met Police received a referral from Action Fraud on Monday, 24 November, following reports of a suspected cyber-attack against borough councils in London. Enquiries remain in the early stages within the Met’s Cyber Crime Unit. No arrests have been made.”
An Information Commissioner’s Office spokesperson told the LDRS: “It does not appear we have had an incident reported to us at this stage. For awareness, not all data breaches are personal data breaches and not all personal data breaches need to be reported to us.
“Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms. If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.”
The Citizen has contacted Hackney Council, the National Crime Agency and Hammersmith and Fulham Council for comment.