During the August bank holiday in 2017, Copeland Borough Council was hit by a zero-day ransomware cyber attack.
A zero-day attack means the hacker is deploying a type of virus so new it is not yet recognised by any anti-virus tools – which Copeland did have in place – meaning there is no way Copeland could have prevented the attack, despite their best efforts.
The attack was extremely fast and extremely virulent. Three days later, the majority of Copeland’s files had been encrypted by the ransomware. In simple terms, this meant no-one in Copeland had any access to any files or systems that were saved on shared or personal drives. The only accessible files were those stored on individual devices, and those saved on Microsoft OneDrive.
The hackers demanded a bitcoin ransom from Copeland in order to gain access to the files again. Some of Copeland’s systems were effectively rendered out of action, as networks had to be taken offline to avoid the attack spreading further, and to begin to understand and tackle its impacts. The only systems available were those that were web based such as the system used to run the waste service. The impact was huge. Overall, some parts of the council spent around ten weeks without basic IT functionality such as access to files, printing and scanning. The knock-on impact for the council is hard to quantify in scale. The council had no financial systems, including payroll. Fuel for the council’s fleet could not be paid, and only a basic payroll for staff could be used so no overtime or expenses could be paid. Restricted access in land charges caused some of biggest issues with house sales being halted in the area. For those moving into the area, this meant they were at risk of having sold their home and having to find temporary accommodation whilst the purchase of the property in Copeland was completed, a time-consuming manual workaround was put in place to reduce the risk of this happening.
It took several months for some council systems to be reinstated. A backlog of more than 8,000 council tax and business rates bills was sent in February the following year as no bills could be issued for anyone who had a change in circumstances post cyber-attack up until this point.
A key problem was the significant loss of data. Some staff teams lost years of work. This impacted on teams with some really crucial information, such as licensing, planning files and environmental health records. Many spent time painstakingly piecing together what they could from email communications. In this environment, it was a real challenge for the leadership team to maintain staff morale. Agile working was encouraged, and additional flexi-arrangements were put in place for staff.
To add to the difficulties of the recovery, Copeland had to manage a by-election during this same period. A case study on how they managed this is available from the Electoral Commission.
Fortunately, however, the use of modern cloud-based systems meant that email access was available, which enabled at least some basic functionality. Likewise, the fact that Revenues and Benefits was handled off-site because of a shared service arrangement meant those services could also continue, as staff were temporarily relocated to neighbouring council offices in the borough. Copeland’s attackers remain unknown.
How the council responded
It took a couple of days to understand the scale and impact of the cyber-attack. However, once understood, the council acted swiftly, and a command structure was set up and the corporate and service business continuity plans were activated.
A specialist IT team was assembled - managed by Copeland’s own IT Manager – including seconding in colleagues from the IT/cyber security sector and neighbouring authorities and partners.
The senior management team dealing with the incident met staff to discuss the issue through face-to-face briefings, allowing staff to ask questions and discuss the issue openly. The council also had to be honest and frank with all stakeholders, who would not only experience the disruption to normal council operations but might also be put at risk from the attack themselves.
The council informed the Police cyber-crime unit and the Information Commissioner’s office (ICO). Although they did not think any data had been lost through the attack, conversations with the ICO continue 12 months after the initial attack.
Key learning points
- The fact that some fully modernised services in the council had gone paperless frustrated matters. Learning from the attack, emergency resources will now be kept in web-based systems such as departmental business continuity plans and emergency contact lists – with each team storing its key documents and ensuring these are regularly refreshed. Resilience Direct, a cloud-based system used for emergency planning, is also being used to store service-based plans and the corporate business continuity plan. It would also have helped to have all stakeholders mapped out in advance, and a list of all statutory returns to refer to.
- Both corporate and departmental business continuity plans are being updated to account for a similar attack or IT outage period in future. Asset registers have been updated and the council’s procurement processes are being reviewed. The council’s flexible agile working strategy has also been accelerated.
- Despite the attack being unavoidable in this case, the council has since taken a number of measures to continue to improve its cyber resilience: it has run a full cyber health check, re-applied for PSN compliance, and brought in compulsory cyber security training for all staff and members. The council is currently redrafting its cyber strategy and clarified roles and responsibilities around IT. Networks have also been redesigned to ensure an attack could be isolated in future, and the council has also worked to develop a better understanding of all the IT assets within the council.
- The council still turns all systems off over bank holidays, and this will continue at least as long as the council remains in recovery which it expects to be complete within 18 months of the attack. It is a known strategy of cyber attackers to target organisations at weekends, known holiday periods and on the anniversaries of the attack.
- As part of its strategy, the council has also developed further its succession planning for key information – in particular, so that this isn’t lost as staff leave or move on.
- The council has also instilled greater discipline around document management, and which files it is necessary to keep, falling in-line with new GDPR regulations. Councils systems should not be cluttered with files that are no longer needed. This also makes it easier to understand what has been lost, and what needs to be restored in an event like this.
- Communications are a challenge over a prolonged period of time, particularly keeping elected members on board. This needs to be managed consistently, keeping in mind the specific needs and concerns of different audiences e.g. staff, stakeholders, elected members, the public.
- The council had to speed up its procurement mechanisms during the incident to be able to take decisions quickly, such as paying for IT professionals to be seconded in. Guidance for the sector on how to manage this in an emergency may be useful.