Hackney systems could be unavailable for months, says council

A month after key systems were taken offline in a “serious” cyber attack, multiple services at Hackney Council in London are still unavailable, and may remain so for months, according to the council.

In an update, the council said it was continuing to work hard to recover systems needed to resolve the significant disruption caused by the incident.

“While some of our services may be unavailable or disrupted for months, key essential services, including our coronavirus response, continue to operate,” the council said.

“Some vital services that had been disrupted have now fully or partially returned, or the council’s teams have created new or temporary ways for residents to access them.

“Our teams have worked incredibly hard to ensure all essential services for residents have remained in place, and to provide as much support as possible where normal operations have been disrupted.

“In non-critical areas some of our services have been slower than usual, and we are not currently able to respond to all requests and enquiries as well as we normally would.

“We are sorry for the inconvenience this is causing and grateful for your continued patience while we work to resolve these issues.”

As of Monday 16 November, Hackney Council’s online payment portal for paying rent and service charges and checking balances remains unavailable, and the council cannot accept payments in person by cash or card or over the phone. Nor can it set up new direct debits.

However, its multiple payments portal is working, as are automated over-the-phone payments. Online bank transfers and payments at a bank, Post Office or Paypoint locations are possible, and existing direct debits and standing orders are now being processed as normal. Hackney Council said these options were all “safe and secure to use”.

Beyond this, the council cannot respond in full to some enquiries around service charge bills or provide rent statements, payment records or repair histories. It has also lost the ability to access emails sent to a number of council inboxes between 12 October – when the attack apparently began – and 26 October.

In a previous statement, Hackney mayor Philip Glanville said: “I am incredibly angry that organised criminals have chosen to attack us in this way, and in the middle of dealing with a global pandemic. It is morally repugnant, and is making it harder for us to deliver the services people rely on.”

The council has still not given any further update as to the exact nature of the cyber attack on its systems. According to Glanville, this is because it does not want to “inadvertently assist” its attackers.

However, this has led to speculation, thus far unconfirmed, that the council has fallen victim to a ransomware attack. If this is the case, the likelihood that the personal data of Hackney residents has been compromised could be high, as ransomware gangs have this year taken to exfiltrating and leaking their victims’ data.

The implications of this scenario for residents could be severe, heightening the possibility of identity theft and fraud, among other things.

Even if the incident affecting Hackney is not ransomware-related, local residents should be alert to the possibility of becoming embroiled in further cyber attacks. Guidance on good cyber security hygiene for individuals and families is available from the National Cyber Security Centre (NCSC).