News: 1721216706

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

London council accuses watchdog of 'exaggerating' danger of 2020 raid on residents' data

(2024/07/17)


London's inner city district of Hackney says the UK's data protection watchdog has misunderstood and "exaggerated" details surrounding a ransomware attack on its systems in 2020.

[1]

The inner London borough lies northeast of the city center and is home to "Silicon Roundabout", a cluster of high-tech companies

During the attack, thieves stole data of 280,000 Hackney residents, council employees and more, and some of the system's backups were deleted after the crooks broke into a server using an insecure password on a dormant account. The attack exposed "deeply personal information" as well as throwing multiple systems used by locals offline for extended periods.

The UK's Information Commissioner's Office (ICO), which imposes punishments on those who flout data protection law, issued the borough Hackney with a [2]reprimand today for the attack, which led to years of technical disruption and millions of pounds in damage.

An ICO reprimand is a formal expression of its disapproval and these have largely replaced the fines in the public sector that many think of when UK General Data Protection Regulation (GDPR) or such legislation is mentioned. It's a change current commissioner John Edwards announced in 2022 and these reprimands, which also contain advisory guidance to organizations, are published publicly to increase transparency over incidents. Fines are now reserved only for the most egregious breaches.

Among the conclusions made by the ICO following an investigation into the 2020 attack, it said Hackney Council had failed to properly implement a patch management system and change an insecure password on a dormant account which was ultimately used to initially gain access to its servers.

[3]

The ICO went on to acknowledge that the council was looking into replacing its patch management system with a more robust solution. It also said Hackney's infosec governance, policies, and training of staff were on point, especially during a trying pandemic period.

[4]

[5]

A spokesperson for the council [6]said today: "While we welcome the ICO completing its investigation, we maintain that the Council has not breached its security obligations. We consider that the ICO has misunderstood the facts and misapplied the law with respect to the issues in question, and has mischaracterized and exaggerated the risk to residents' data."

They went on to say that despite the disagreement with the ICO, the council isn't prepared to use its "limited resources" to challenge the watchdog's ruling, before pointing to other local authorities' breaches and how cybersecurity is a tricky business.

[7]

"While we do not agree with all the ICO's findings, the completion of the investigation means we can focus on our ongoing efforts to keep data secure and deliver the vital services that our residents rely on," said Caroline Woodley, Mayor of Hackney.

"We deeply regret the impact that this senseless criminal attack had on Hackney residents and businesses, and I am grateful to council staff who continued delivering for our communities despite the challenges, and to our residents for their patience while services were impacted."

Facts of the matter

Hackney's [8]cyberattack attracted a great deal of attention back in 2020, at the height of the COVID-19 pandemic, and that attention lingered as new details of the incident were drip-fed to the public over a prolonged period.

The attack was claimed by the now-defunct [9]Pysa ransomware crew , but despite no official council comms mentioning "ransomware", the fact the data was encrypted, stolen, and backups destroyed all suggests [10]ransomware was involved. Deploying a ransomware payload was also part of Pysa's MO at the time, shortly before [11]encryptionless attacks became trendy.

All in all, Pysa was able to encrypt 440,000 files concerning at least 280,000 Hackney locals, staff, and others. The ICO said 9,605 files were stolen by the criminals and these contained data such as race and ethnicity, religious beliefs, sexual orientation, health data, economic data, criminal offense data, and the usual personal information that's often included in data breaches: names, addresses, etc. Hackney acknowledged that the theft of this data "posed a meaningful risk of harm" to 230 individuals.

[12]

The attackers also deleted 10 percent of the council's backups before its security professionals stopped the intrusion and stopped the attack from going any further. The damage, however, was already done and many of its systems were down for months.

Hackney's ability to respond to [13]Freedom of Information Act requests and subject access requests was also impeded for around two years after the attack. Although, cyberattack or not, many local authorities struggled in this regard due to the COVID-19 pandemic.

[14]Rite Aid admits 2.2 million people’s data stolen by criminals

[15]I spy another mSpy breach: Millions more stalkerware buyers exposed

[16]Call, text logs for 110M AT&T customers stolen from compromised cloud storage

[17]Japanese space agency spotted zero-day attacks while cleaning up raid on M365

Stephen Bonner, deputy commissioner at the ICO, [18]said : "This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents. At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers. Systems that people rely on were offline for many months. This is entirely unacceptable and should not have happened.

"Whilst nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyberattacks. Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same. Time and time again, we see breaches that would not have happened if such mistakes were avoided."

Bonner went on to again acknowledge Hackney's swift actions to mitigate the attack and the more robust security measure it now has in place – factors that influenced its decision to skip imposing a fine and instead adopt the ICO's fine-averse public sector approach. ®

Get our [19]Tech Resources



[1] https://regmedia.co.uk/2024/07/17/shutterstock_hackney.jpg

[2] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/07/london-borough-of-hackney-reprimanded-following-cyber-attack/

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZpfqmcDWtqmWM@wqJqyrLAAAAZc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZpfqmcDWtqmWM@wqJqyrLAAAAZc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZpfqmcDWtqmWM@wqJqyrLAAAAZc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://news.hackney.gov.uk/response-to-information-commissioners-office-cyberattack-investigation/

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZpfqmcDWtqmWM@wqJqyrLAAAAZc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2020/10/13/hackney_council_hacked_hackers_cyberhack/

[9] https://www.theregister.com/2021/07/15/mespinoza_ransomware_profile/

[10] https://www.theregister.com/2024/07/16/scattered_spider_ransom/

[11] https://www.theregister.com/2022/10/09/extortion_ransomware_threats_category/

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZpfqmcDWtqmWM@wqJqyrLAAAAZc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[13] https://www.theregister.com/2023/12/20/greater_manchester_police_foi/

[14] https://www.theregister.com/2024/07/16/rite_aid_says_22_million/

[15] https://www.theregister.com/2024/07/15/infosec_roundup/

[16] https://www.theregister.com/2024/07/12/att_110_million_call_text_logs/

[17] https://www.theregister.com/2024/07/11/jaxa_m365_zeroday_attacks/

[18] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/07/london-borough-of-hackney-reprimanded-following-cyber-attack/

[19] https://whitepapers.theregister.com/



Anonymous Coward

A stern talking to isn't going to improve things... and in this case it's just resulted in talking back.

I can see that fining a public body could be seen as self-defeating but the only alternative I can think of is having someone take the fall. In other words make a senior person responsible unless they can prove they had taken reasonable steps to stop the problem. That might concentrate their minds a little.

Anonymous Coward

The problem is that the chief exec is the senior person who should take the flack, but if they're fined you'll find that they then receive a one-off performance bonus of a coincidentally similar value. Us tax payers will still be paying.

FrogsAndChips

I think the original AC meant to fire them, not fine them. Or if you can't fire them, send them to manage a paper company in Slough.

Yorick Hunt

A "paper company," yes - as in, a company which still uses pen an paper, and not one that uses (hackable).computers.

plunet

What would make more sense is if the ICO could impose auditable improvement plans maybe with the compromised entity committing to certain outcomes including capital and operational investment.

It's similar to off the shelf SLA statements where supplier commits to pay customer 2 shillings in the event of a SLA failure provider that you claim on the right form etc. A service improvement plan that ensures that whatever went wrong can't happen again is surely more value to both supplier and customer.

"auditable improvement plans"

Mike 137

I've proposed pretty much your suggestion to officialdom several times over the last few years, but nobody has seen fit to implement it (or indeed even comment on it seriously). They prefer fines (punishment) to improvement (results). The current Information Commissioner seems however to be a bit more far sighted, but it remains to be seen to what extent that will be useful, bearing in mind the proposed politicising and neutering of the ICO role (which for now fortunately died in the run-up to the election but could well be resurrected).

gnasher729

40 years ago I worked for the chemical industry in Germany.

One multi-billion company whose name you know had quite a few safety blunders and promptly paid its fines every time. Until the body responsible for safety and fines told them “we have the impression that you are not taking safety seriously. You have six weeks time to convince us you take this seriously, or we will shut your operations down”. That was the first time ever a threat like that was issued, but they meant it, and would have been able to enforce it

In this situation, if a Council doesn’t take security and privacy seriously, then the highest person who can affect it should be made to leave

low_resolution_foxxes

It's the classic scenario where those in charge are fundamentally responsible for commercial profit, so expenditure has a lever to reduce money spent. But if there are no repercussions for poor IT/safety records you are relying on someone who is inherently busy monitoring highly technical tasks they do not really understand (the obvious solution is to hire an appropriate expert).

If the CEO faces no consequences, then you can expect minimal attention to these things. That works for both corporations and governments.

Anonymous Coward

CEO paying IT no attention is usually a good thing, as long as money is available.

CEO paying attention generally means sticking their nose in where it's not wanted, questioning things that would be obvious to those in the field, and demanding pointless things. Nope, I'd rather they stay away and let IT people get on with ITing.

Doctor Syntax

At least they're consistent. If they don't believe the risk was serious then it's reasonable to believe they didn't need to defend against it.

Perhaps their response could be taken as escalating the seriousness to the point where a fine is appropriate. Even so it doesn't make sense for one part of the public sector to be fining another. It's not an easy situation but one that needs to be looked at in terms of how to tackle this in future. Perhaps a requirement that an admonition to a public body should reult in a note being placed on the personal records of senior officers, sufficient to block any salary increases or promotions for some years and a requirement that it should be mentioned on their CVs when applying for any other job in the public sector.

Don’t fire, don’t fine

claimed

Fine is a business cost, firing means the org doesn’t learn. Cap all salary and remuneration for 5 years for everyone above the salary waterline. No bonuses to get round it, that’s it, frozen for 5. Everyone will be invested as fuck in making sure a) that’s doesn’t happen, b) it’s fixed. Meetings will be “what about security, what about security”

Then all you have to argue is where is the waterline

Re: Don’t fire, don’t fine

Anonymous Coward

" Cap all salary and remuneration for 5 years for everyone above the salary waterline"

That would just mean that the responsible people start looking for jobs elsewhere to get a pay rise.....

fnusnu

The dogs bark, but the caravan goes on.

No guest is so welcome in a friend's house that he will not become a
nuisance after three days.
-- Titus Maccius Plautus