Hackney Council may be forced to answer questions about IT security training after Psya ransomware
A council hit by a cyberattack could be forced to answer questions about the IT and security training it provided to staff when forced to work from home due to the pandemic.
Cybercriminals hit the Hackney Council in October 2020, with Pysa, or Mespinoza, ransomware crippling some of its online services.
Four months later, employee and resident data was reportedly posted on the dark web by hackers who claimed it came from the attack on London council’s computer systems.
The council said the attack involved “a limited set of data, which has not been published in a widely available public forum, and is not available via search engines on the internet”.
The National Crime Agency is still investigating the attack, as is the National Cyber Security Center.
The attack cost the council millions of pounds and data is still missing on many services.
He said the most critical services were Mosaic for social care, Academy for its benefits and revenue, and M3 for planning and land charges and providing modern digital tools in housing.
Other local authorities have been targeted by hackers. Gloucester Council became the latest victim when it came under attack for the second time in December, when hackers hit services such as revenue, benefits and planning.
The councils of Salisbury, Copeland and Islington were also hit by cyberattacks during the August Bank Holiday 2017, when hackers unsuccessfully demanded a ransom in bitcoins in exchange for data.
Hackney attack affected benefit data. Some people were unable to carry out property searches, which affected some house sales in the east London borough.
The Information Commissioner must act
The council is now facing action from the Information Commissioner after he refused to say whether he gave safety training to council staff when they had to work from home during the pandemic.
Liberal Democrat activist Darren Martin submitted a freedom of information request to ask the council what IT security training was provided to staff in the two years before the cyberattack.
“If it turns out that the attack that has crippled our vital services in the borough since 2020 came from a phishing scam or someone working from home, and that it could have been prevented by training and additional security – then the Mayor of Hackney and the Labor Administration must take full responsibility for this,” Martin said.
Without the security protections provided by office systems, such as firewalls and blacklisted IP addresses, staff working from home could have been vulnerable to phishing emails and cyberattacks, the activist added. .
Martin said he wanted Hackney Council to explain if they were offering additional training as more staff were working from home due to the pandemic.
“I have asked a simple question as to whether significant training has been provided to employees accessing the council’s systems from home, and if the release of this information affects the police investigation, it is the duty of Hackney Council to adequately explain why,” he said.
“While it is completely understandable that some information cannot be released due to the ongoing nature of the cyberattack and police investigation, the Hackney Council cannot use this as an excuse to block every request for transparency. .”
The board said it did not have to respond to Martin’s FoI request because of exemptions related to disclosing information about the prevention or detection of a crime.
Hackney Council said it had “invested heavily in modern technology and cloud-based services – ahead of many other councils”. He said he was not complacent before the attack and continued to invest in cybersecurity.
The authority said it was “moving away from old-school servers and PCs to cloud-based systems.”
The council’s older systems have been hit by a “complex and sophisticated criminal attack on public services”, he added. “The attack on Hackney was part of a rapid increase in serious cyber threats around the world, affecting a large number of high-profile organisations.”
The council said it “continues to do everything possible to protect our systems and data, and also to support cyber resilience across the local government sector by sharing our learning.”
Risk of Contempt
Martin appealed the council’s action and then filed a complaint with the Information Commissioner’s Office (ICO), who sent the council an information order asking him to provide more details about why he had denied the request.
Public bodies must respond to an information order within 30 days or risk being held in contempt of court.
Follow-up emails from the ICO were met with out-of-office messages and the council did not respond to phone calls from the data watchdog. The matter has now been referred to the ICO Legal Department.
Hackney Council said it was talking to the ICO to fulfill its responsibilities regarding Martin’s FoI request.
Auditor Mazars’ annual letter, discussed by the board this year, said: “The work carried out by our IT and cybersecurity audit specialists has confirmed that the board has put in place appropriate provisions to prevent or reduce the likelihood of a cybersecurity breach. ”
The council said it was following improvements recommended by Mazars in a report on the cyberattack that was discussed behind closed doors at a meeting last month.
The authority said it is committed to being as transparent as possible about the attack.
“Unfortunately, we have to be careful about what information we share,” a spokesperson said. “The criminal investigation into the attack is ongoing and sophisticated criminal groups continue to target all organizations. Even information that might seem low risk can help criminals cause more harm to the council and our residents. »