Old, on-premise systems targeted in Hackney ransomware attack

The Pysa ransomware attack on Hackney Council successfully targeted older, on-premise servers and systems that had not yet been migrated to the cloud, the council has revealed.

In a new update to the general public this week, Hackney Council said it had invested heavily in new technology and cloud-based services and believed it was ahead of the curve compared with its peers in this regard.

“We take cyber security extremely seriously and have invested heavily in modern technology and cloud-based services – ahead of many other councils,” said a spokesperson. “We were not complacent before the attack, and will continue this investment in our cyber security in the future, learning from this incident.

“While we’ve been proactive about moving away from old-fashioned servers and PCs to cloud-based services, some of these older systems still remain – as they do in any large public sector organisation. It is these older systems that were subject to the cyber attack in October [2020].”

Earlier this month, it was revealed that data stolen in the attack by the Pysa group is now being leaked – strongly suggesting that Hackney Council has resisted demands to pay. The leaked data includes passport data, scans of tenancy audit documents for public housing tenants, staff data, and information on community safety.

“Our team had planned for any eventuality following October’s attack, and had a structured plan in place to respond to the publication of any data,” the council said. “Working with partners and the police, we are now executing this plan.”

The council reiterated that the publication of the data – a so-called double extortion attack designed to increase pressure on it to give in to the cyber criminals’ demands – should not affect the majority of residents or businesses in the London borough, but said it understood the public’s concerns, and apologised again.

At the time of writing, the council still believes the majority of personally identifiably information (PII) it holds is safe and that the leaked dataset is limited in its scope – also, it has not been published on a widely known forum, and is not searchable through Google or other search engines. A review is ongoing, and the Information Commissioner’s Office has been notified.

The council added that the data leak changed nothing in how it was going about restoring its disrupted services – a full list of which is available here.

“This was a complex and sophisticated criminal attack on public services, and we share your anger and frustration about how it continues to affect your services in the middle of responding to the coronavirus pandemic,” the spokesperson said.

In emailed comments, Hackney Council told Computer Weekly that, given it is involved in a live criminal investigation, it cannot yet put a timeframe on when its full suite of public services will be restored. Some may be unavailable for a number of months, but work is in progress to safely restore as much as possible, and many of the initially-impacted services are up and running again.