Cybersecurity lessons from Leicester City Council, MP and Electoral Commission attacks
With major IT breaches impacting politicians, local authorities, and the UK’s voter database, an expert in digital ambushes shares the real takeaways for organisations.
Sellafield, the University of Manchester, CVS, The British Library, NHS data, Vans trainers, and Duvel beer. In 2024, cyber-attacks at an organisational level are a weekly, if not daily occurrence. Two of the most visible examples in the past month involve major public sector players and political targets.
On 7th March, Leicester City Council was forced to disable all phone and computer systems due to a technical issue which, more recently, has been attributed to the actions of INC Ransom. The ransomware group claims to have taken 3TB of data, although nobody seems too sure.
At the time of writing it’s also unclear exactly what the criminals managed to transfer. 25 documents including rental statements, applications for the purchase of council housing, and IDs used to verify security with council services, among other associated agencies, appeared online soon after the breach. This prompted widespread warnings to the public about a heightened risk of phishing scams targeting Leicester households, and it took until 28th March for the authority to confirm ‘most’ of its services were once again online.
The saga continues. Just yesterday, a new cache of documents hit the internet, this time amounting to 1.3TB of data. Again, local residents have been told to remain vigilant, while those whose data has a high likelihood of being shared will be contacted directly to discuss next steps. More resources used to clear up the mess after what has been described as a ‘sophisticated’ attack.
As all this unfolded in the East Midlands, national headlines have been dominated by another major IT breach. In August 2023, it emerged data on some 40million people held by the Electoral Commission had been accessed by ‘hostile actors’. In the past fortnight, Government spokespeople, not least Deputy Prime Minister Oliver Dowden, laid the blame at China’s door, demanding an explanation from Chinese Ambassador to the UK, Zheng Zeguang.
The country has also been cast as villain in a separate incident. First, a group of three MPs, including outspoken critic of China Iain Duncan Smith, found themselves to be victims of individual attacks on their email accounts. That number then swelled to 30 parliamentary members, including high ranking senior roles. In both cases a coordinated attack carried out by sophisticated agents has been cited.
‘If you think back through all the headlines, all the statements you have been given on cybersecurity, ransomware attacks, anything like that, can you name a single one that was not ‘highly advanced’ or ‘sophisticated’?’ asks James Bore when we speak on the phone. A chartered security professional, author of the The Cyber Circuit, a compendium of essays on IT security issues, and Managing Director of Bores tech and cyber information consultancy, he’s less convinced of the party line.
‘Years ago, a guy called James Linton did various phishing attacks against places like the White House and people such as the Chairman of the Bank of England. He’d be the first to admit it wasn’t very technical… I don’t see how the MP email hacks are any different to that,’ he continues. ‘I can see why a nation state might want to impersonate MPs. But it’s not particularly sophisticated. I think Duncan Smith was saying positive things about China in the email that impersonated him, how he’s changed his mind. That’s not advanced, it’s the level of a prank.’
Although clear on the fact the Electoral Commission case is markedly different, Bore is quick to voice surprise at the fact ‘they’ bothered to try and access the database in the first place. He says how the stories have unfolded in the press reveals the elephant in the cybersecurity server room.
‘The simple fact is these things are not necessarily easy, and there are attacks which are actually planned, coordinated effort goes into them. But they are vanishingly small. Most are opportunistic. And they work because the attack surface is so large and so complex. You can’t cover everything. And if people keep trying different opportunities, different tactics, eventually they’ll get through,’ says Bore, before moving to the lessons organisations should take away from these incidents, and many other cybersecurity breaches.
‘We need more security. And I say security rather than cybersecurity or IT. That means looking at the security of these systems, and organisations, and seeing what needs to be done. Often, security is considered an IT problem, carved out and relegated there – not invested in, largely unconsidered. I want to be completely clear, this is not because IT people are incompetent. They have huge expertise in their area. But the focus will be first and foremost on providing those systems. Security competes with that at times.’
So, are we spending enough on our cybersecurity infrastructure and resources? According to Bore, this question really misses the glaring point. As we have seen innumerable times in the past, monumental amounts of money doesn’t always guarantee great results. Or even a fit-for-purpose system. Instead, spending sprees simply distract us from the reality that root problems and concerns have yet to be dealt with in any meaningful way.
‘For things to improve, there’s got to be an independent focus on those security issues. And on the promotion of them, advocating them, championing them within organisations. Otherwise we’re just going to continue to get this sort of attack,’ Bore tells us. ‘We get people and organisations spending huge amounts of money on shiny technology that is meant to fix the issue, or preventing or detecting it or whatever it’s meant to do. Which doesn’t fix the underlying flaws that cause it.’
More cybersecurity:
Opinion: Bolstering cybersecurity defences in local authorities
Images: Clint Patterson (top) / AltumCode (bottom)
Leave a Reply