The Insider Account of a Debilitating Cyber Attack Using Ransomware
IT WAS The first time Rob Miller heard there was a problem was on a Sunday morning in the middle of October 2020. In East London, at Hackney Council, both the databases and the information technology systems were down. A second, more lethal wave of the coronavirus pandemic was about to hit the United Kingdom, putting millions of people in quarantine and severely disrupting daily life. Miller was the strategic director at the public authority, and his situation was about to deteriorate dramatically. Miller says, “By lunchtime, it was obvious that it was more than technical stuff.”
Hackney Council, one of London’s 32 local authorities, is responsible for the welfare of more than 250,000 people, and its leaders announced it had been the target of a cyberattack two days later. Its systems had been crippled by ransomware deployed by criminal hackers, making it difficult for the council to care for its constituents. After the fact, the Pysa ransomware group took credit for the attack and, a few weeks later, claimed it would release information stolen from the council.
More than two years after the ransomware attack, Hackney Council is still coping with the enormous fallout. Many council services were unavailable for close to a year. Crucial council systems, such as housing benefit payments and social care services, were broken. Although it has resumed some of its operations, the Council is still not fully functional as it was before the attack.
WIRED looked through dozens of council documents, minutes, and meeting notes to determine how much of a disruption the ransomware had on the council and, more importantly, the thousands of people it serves. The attack by the sneaky criminal organisation had negative effects on people’s health, living conditions, and bank accounts. The severity of the attack against Hackney is notable, but so is the length of time it has taken for the organisation to recover and continue aiding those in need.
Calls for a Ransom
Cities and their governments are like intricate machines. They consist of thousands of people operating hundreds of services that have an impact on nearly every aspect of an individual’s life. The vast majority of these efforts are unrecognised until something goes wrong. Because of the ransomware attack, Hackney has been rendered inoperable.
Hackney Council provides hundreds of services, including social and children’s care, waste collection, benefits payments to the needy, and public housing, just to name a few. Many of these operations rely on proprietary software and hardware. Hackney Council’s services are similar to those of utilities and healthcare facilities in many respects.
Jamie MacColl, a cybersecurity and threat researcher at the RUSI think tank, is studying the societal effects of ransomware. “The attacks against public sector organisations, like local councils, schools, or universities, are quite powerful,” he says. Things that are essential to daily life, but not as essential as the electricity or water supply.
Miller informed councillors at one public meeting in 2022 that all systems hosted on Hackney’s servers were affected by the ransomware attack. Some of the areas hardest hit were social services, housing subsidies, council taxes, business rates, and housing maintenance. The council has not paid any ransom demand, so databases and records are inaccessible. Hackney Council’s data and insight manager, Lisa Stidle, said in a talk about the council’s recovery last year, “most of our data and our IT systems that were creating that data were not available, which really had a devastating impact on the services we were able to provide, but the work that we do as well.”
One disabled Hackney resident (who did not wish to be identified) claims they applied for social care at the end of June 2021 (eight months after the cyberattack first hit) but did not receive a care plan or visits from carers until February 2022. I was unable to take a shower. They say things like, “I couldn’t wash my own hair.” “And they kept telling me the hack was the reason for the delay.” Months after first contacting the council, the individual finally received a response, and the worker they spoke with expressed relief that they were still alive, as their situation was unclear and the case had been delayed.
Victims of the ransomware attack in Hackney have shared their stories with independent complaint boards. It is estimated that Hackney accumulated a 7,000-repair backlog as a result of the cyberattack and the subsequent pandemic. According to a May 2022 report by the Housing Ombudsman, Hackney engaged in “severe maladministration” that caused “substantial delays” in addressing “damp, mould, and leaks” at one resident’s home. The Ombudsman found that despite Hackney losing its records in the cyberattack, the council did not do enough to check emails (which were still available) or interview staff about the case. According to the council, the attack “impacted on our ability to retrieve our housing management and repairs data, as well as historic records, and sadly impeded our ability to investigate the resident’s complaint.”
The council received additional criticism for its ineffective noise complaint reporting system. Council tax payments had accumulated in arrears. It also failed to conduct thorough investigations of customer complaints due to a lack of supporting documentation. According to council reports, in the months following the attacks, a “large number” of people complained to the council about the destruction of their housing records and personal correspondence. One resident hadn’t used their kitchen in over a year because of the cyberattack, which also partially slowed down construction. ITV News also reported in July 2022 that a Hackney family of seven had to relocate after the council was unable to bring their housing benefit payments up to date.
Council members and Hackney’s mayor, Philip Glanville, have expressed regret for the attack’s effects on locals. The council has issued an apology to “all of those who have been affected as a result of the criminal action that left us unable to help some of the most vulnerable in our borough” in response to the Ombudsman’s decisions.
Miller argues that the severe consequences of the attack show how many “critical services” are provided by the council and how dangerous ransomware attacks are. “Everything we do has some kind of significance,” he says. To be sure, “but some of the things really are very acute.” Despite the widespread effects, he claims the council prioritised high-risk cases during its recovery from the attack. The number of affected locals has decreased over time. However, if you are a local resident who will be negatively impacted, none of that will help.
Hackney Council has been silent on the technical details of the ransomware attack since it occurred, citing ongoing investigations by the UK’s National Crime Agency and the data regulator, the Information Commissioner’s Office (ICO), which could result in fines for the council. The ICO has stated that its investigation is still ongoing, but no estimated completion date has been given.
In recent years, malicious hackers have frequently targeted municipal governments and public institutions. Aggressive ransomware groups have targeted hospitals and healthcare providers, local governments, and even nations. GCHQ’s deputy director of incident management in the United Kingdom, Eleanor Fairford, who aided Hackney, calls ransomware the “most significant” threat to public and private sector organisations alike.
Fairford, citing its advice on ransomware protection, says, “Incidents can affect every aspect of an organization—from impeding its ability to deliver key operations to hitting finances,” and the effects are felt both immediately and over time. Hackney lost at least £12 million ($14.8 million), with multiple services reporting budget overruns due to the attack.
According to Lizzie Cookson, director of incident response at ransomware recovery firm Coveware, 13% of the ransomware victims the company saw in the final three months of 2017 were from the public sector. Cookson comments, “That’s pretty high,” before noting that public services are frequently underfunded and under-resourced. When the sector is attacked, thousands of people are affected over a long period of time. Miller has called the effects in Hackney “poisonous,” demonstrating how serious a ransomware attack can be. There’s a tendency to dismiss it because “it’s easy to assume that it’s faceless and doesn’t really have a big impact,” he says. But it does affect people, you know?
The residents of Hackney have felt the effects of the cyberattack, but the staff has also been affected. Hackney Council’s hundreds of employees have had to persevere in the face of disruption, providing assistance to residents despite limited access to information systems. According to Jessica Barker, co-CEO of cybersecurity firm Cygenta and an observer of the Hackney attack, “when there’s an incident like this, it can cause a lot of stress, anxiety, and upset for the people who are involved.” Barker elaborates by saying that those working in technical recovery may experience stress and burnout, while those working directly with citizens may have had to put in overtime.
Hackney’s Children and Families Service, which at first lost its social care management and document management systems, acknowledged the attack’s toll on staff in an annual report. In light of the pandemic and the ransomware attack, “morale in some parts of the service may be lower,” it warned. It also claimed that “the legacy of the October 2020 cyberattack cannot be understated.”
Miller acknowledges that it has been challenging for the Hackney staff, but he is “proud” of their response. The reason people enter public service, he says, is to “make life better for them.” This means providing residents and citizens with the services they require. I think it’s been really tough for people to be in a position where they’ve had to put in a lot of effort but know they’re not getting the results they’d hoped for. They are concerned with the impact on our community.
Hackney Council is unusual in a number of respects. Most people who have been hit by ransomware are reluctant to speak publicly about it. They dodge questions by referring to mysterious “cyber incidents” and “sophisticated attackers.” When compared to other cities, Hackney has been the most open.
Miller claims that the fact that Hackney is still operating is due in large part to the fact that it took steps to modernise its technology and move its services to cloud hosting. The council’s website, email servers, and messaging apps all functioned normally. They didn’t just use paper and pencil. Every day, the council would hold an emergency meeting known as “Cyber GOLD” to introduce new business strategies. Miller says that there will be emergency meetings during the recovery to discuss how to deal with the pandemic and the ransomware attack simultaneously. The council reported that all of its services had returned a year after the attack, though they were not functioning normally.