Britain’s data watchdog has lambasted London’s Hackney Council for a cyber attack that “severely” impacted residents, saying the breach was “a clear and avoidable error.”
In October 2020, hackers infiltrated Hackney’s systems, accessing, encrypting, and in some instances exfiltrating personal data. The compromised information included residents’ names, addresses, racial or ethnic origins, religious beliefs, sexual orientations, health data, economic details and criminal records.
It led to hackers gaining access to and encrypting 440,000 files, affecting at least 280,000 residents and other individuals including staff.
In a scathing rebuke, the Information Commissioner’s Office (ICO) today slammed Hackney Council for failing to put sufficient measures in place that could have better protected their systems and data.
“This was a clear and avoidable error from London Borough of Hackney,” said Stephen Bonner, deputy commissioner at the ICO, “one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents.
“At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers. Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened.
“If we want people to have trust in local authorities, they need to trust that local authorities will look after their data properly. Hackney residents have learnt the hard way the consequences for these errors – councils across the country should act now to ensure that those they are responsible for do not suffer the same fate,” Bonner added.
The ICO deemed the cyber attack to have posed a “meaningful risk of harm” to 230 individuals, with over nearly over 9,600 records confirmed as exfiltrated by the attackers. It said Hackney Council took swift and comprehensive action to mitigate the harm of the attack as soon as it learned it had taken place.
In response to the ICO, Hackney Council said: “While we welcome the ICO completing its investigation, we maintain that the Council has not breached its security obligations. We consider that the ICO has misunderstood the facts and misapplied the law with respect to the issues in question, and has mischaracterised and exaggerated the risk to residents’ data.
“However, we do not believe it is in our residents’ interests to use our limited resources to challenge the ICO’s decision.
“We have worked closely with the National Cyber Security Centre, National Crime Agency and Metropolitan Police to identify, contact and help those who were significantly affected by the cyberattack, and the ICO has recognised our robust and transparent response.”