zephyr_p - stock.adobe.com

Councillors refuse public release of IT audit of Hackney Psya ransomware attack

Hackney councillors claim an IT audit report is exempt for disclosure as it relates to action taken in relation to the prevention, investigation or prosecution of crime

An auditor’s report into a “devastating” cyber attack which cost Hackney Council millions of pounds has been discussed behind closed doors by politicians.

Hackers attacked the council with Pysa, or Mespinoza, ransomware in October 2020, and the following January, cyber criminals published documents on the dark web, which allegedly included personal details of council staff and residents.

The council said data could not be found through search engines and most personal or sensitive data was not affected.

The hack has cost the council millions in terms of recovery and lost income, and hit it hard coming in the middle of a pandemic.

It hit a range of services, including the benefits system impacting benefits assessments for thousands of residents, as well as land ownership searches, which hit house hunters and sellers.

Councillors on Hackney Council’s audit committee looked at the report by the IT team at auditors Mazars in private, at a council meeting on 5 January.

The council’s monitoring officer, Dawn Carter-McDonald, said the public could not hear about the contents of the report or read it. She cited an exemption under local government legislation because of “information relating to any action taken or to be taken in connection with the prevention, investigation or prosecution of crime”.

Councillor Nick Sharman, who chairs the committee, said: “This is one of the most devastating attacks that we’ve received. It’s had a harmful effect both on the council’s operations and on residents, and we certainly want to share as much information as is possible.”

He said he took advice from the monitoring officer and there could be “possible implications of criminality”.

Sharman said he was “sensitive” to arguments for making the contents public and would look at what information could be released.

Council services still recovering

Over a year on, revenue and benefits services are now dealing with backlogs, but social care does not have “the full set of functions” it needs to run the department normally.

In a non-confidential repot, the council’s group finance director, Ian Williams, said: “Following work performed by Mazars IT audit team, in response to the cyber attack at the council, Mazars have concluded that they are satisfied that in all significant respects, the council had put in place proper arrangements to secure economy, efficiency and effectiveness in its use of resources for the year ended 31 March 2020.”

The council said it is still working to recover data lost during the ransomware attack. It said the most critical IT services were:

  • Mosaic (social care)
  • Academy (benefits and revenues)
  • M3 (Planning and land charges)
  • The delivery of modern digital tools to replace a legacy system in housing

Further work needed to recover systems

A public report said: “In all cases progress has been made, but due to the severe and complex nature of the attack, there is still further work needed to fully recover services.”

In some, such as revenues and benefits processing, system recovery work is sufficiently progressed that service teams are now able begin to address backlogs that have accumulated as a result of the attack.

In other services, for example, social care, service teams have access to core data that has been recovered but do not yet have access to the full set of functions required to operate normally.

“There are some data sets where recovery work is still subject to technical investigation, so timelines for recovery are not yet clear,” the report said.

A report by the council’s group director of finance, Ian Williams, said: “When the attack was discovered in October 2020, immediate work was carried out to isolate the Council’s internally hosted systems and network, and to notify the national leads for cyber security.”

However, it said that risks remain that recovery work may introduce new vulnerabilities or reintroduce vulnerabilities which existed at the time of the attack. Recovery work could also lead to retention of elements of the attack which could be reused in future, the report said.

Further risks remain relating to the data stolen and published on the dark web in January 2021.

Efforts to reduce high cyber attack risks

The council rates the corporate risk of the cyber attack as red and marks it as 15, against a target of 10 on its risk register. It also said the risk to information security, including “fall out” from the cyber attack, stood at 20 against a target of nine.

The only higher risks are an economic downturn and impact of funding for special educational needs support, which is rated at 25.

A corporate risk management report said numerous external events are having a considerable impact on the council’s objectives, notably the coronavirus pandemic and the October 2020 cyber attack.

“Areas like finances (with budget cuts, and especially current challenges like the volatile energy market and rapid increases in cost of living) were already problematic before the pandemic, and they have intensified now, and the cyber attack has severely affected the effective operation of some services,” the report said.

Cyber hackers struck at Gloucestershire council in December 2021. Affected services included revenue and benefits and planning.

Salisbury, Copeland and Islington councils were hit by cyber attacks over the August Bank Holiday in 2017. Hackers unsuccessfully asked for a bitcoin ransom in return for data.

A survey by Big Brother Watch found that 114 councils had at least one computer system breach between 2013 and 2017, with 25 of them suffering a data loss or breach.

Read more on IT strategy

Data Center
Data Management