From the Information Commissioner’s Office:
We have issued the London Borough of Hackey with a reprimand following a cyber-attack in 2020 that led to hackers gaining access to and encrypting 440,000 files, affecting at least 280,000 residents and other individuals including staff.
In October 2020, hackers attacked the London Borough of Hackney (LBoH) systems – accessing, encrypting, and in some instances exfiltrating records containing personal data. The encrypted data included data on residents that revealed their racial or ethnic origin, religious beliefs, sexual orientation, health data, economic data, criminal offence data, and other data including basic personal identifiers such as names and addresses.
Some of the data which was encrypted was also exfiltrated by the attackers. Of those affected records, we understand that 9,605 records were exfiltrated, with the attack being acknowledged by LBoH to have “posed a meaningful risk of harm” to 230 data subjects.
The hackers encrypted the data and then deleted 10% of the council’s backup before the council managed to intervene. The cyber-attack also resulted in LBoH systems being disrupted for many months with, in some instances, services not being back to normal service until 2022. One such instance of this disruption related to LBoH’s ability to deal with Freedom of Information requests and subject access requests. We received 39 complaints from individuals who had made subject access requests to LBoH between August and October 2020 but had not received an appropriate response.
In the subsequent investigation into the data breaches, we found examples of a lack of proper security and processes to protect personal data. LBOH failed to ensure that a security patch management system was actively applied to all devices, and failed to change an insecure password on a dormant account still connected to Hackney council servers which was exploited by the attackers.
Read more at the ICO’s website.