In 2020, Hackney Council was the victim of an extremely disruptive ransomware attack which affected all systems and services. ‘Among the hundreds of services Hackney Council provides are social and Public Health care, waste collection, benefits payments to people in need of financial support, and public housing. Many of these services are run using in-house technical systems and services’[12] which meant these critical services were unable to operate. Two years after the initial incident, they were still in recovery mode, with some IT systems still in the process of remediation, whilst some data was completely lost. The attack cost the council approximately £12 million.
In March 2023, Capita, an organisation which runs crucial services for many local councils, the military, and the NHS, was the victim of a cyber attack, which caused a significant IT outage. Following the attack, Capita was also found to have been storing client data in unsecured cloud storage. At least six organisations were directly affected by the attack, which exposed potentially sensitive data and caused some services to come to a halt. The attack garnered significant media attention and exposed the supply chain risk experienced by all councils. Reputational damage and resident concern were a significant issue. The Director of Resources at Rochford District Council said in a statement: [13]
We take very seriously our commitment to safeguarding the privacy and security of our residents’ personal information. We know this will cause concern to residents and we want to apologise to those affected on behalf of Capita. We will be working with Capita to review the company’s processes and ensure the avoidance of any further breaches.
The month following the Capita incident, in April 2023, a Scottish council accidentally released 15,000 staff members’ personal data following an FOI request. [14] Corporate services teams must be aware that all information loss may not happen for malicious reasons.
The request asked for the details of staff pay grades but when the local authority shared a spreadsheet containing the information employee data was not anonymised. The data breach reportedly revealed information such as workers’ names, National Insurance numbers, salaries, and workplace.
A spokesperson for South Lanarkshire Council said:
A spreadsheet containing anonymised employee data was uploaded to a website in response to a Freedom of Information request, and unfortunately as a result of human error, the spreadsheet contained a second page of personal data that had not been anonymised. The error was noticed by the council, and we arranged for that data to be removed. To the best of our knowledge the information was not accessed, and we believe the data could not be used in a way that would be harmful to those involved.
The pages below contain a few examples of the way in which a cyber attack could affect specific service areas and things you should consider when preventing or recovering from a cyber attack:
Planning
Legal
Environment
Adult social care
Public health
Procurement
Corporate
Finance
Children's services