Insecure password led hackers to 440,000 Hackney Council files

The Information Commissioner’s Office has formally reprimanded the authority for ‘failing to implement’ measures that could have protected a quarter of a million residents and their personal records.

A cyber attack that began in October 2020 resulted in sensitive information on at least 280,000 Hackney residents falling into the hands of criminals. This included details of racial and ethnic origins, religious beliefs, sexual orientation, health, economic and criminal data.

Names and addresses were also included, and 10% of backup data was deleted in the incident, which stretched into 2022, more than year after the first red flags were raised. During this time, 39 complaints were raised by individuals regarding the situation. 

Last week, the Information Commissioner’s Office concluded that the authority had failed to take necessary security steps or implemented effective processes, including the use of an insecure password on a dormant account still connected to servers. This offered hackers an easy route into the network because a security patch management system not applied to all devices.

‘This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents,’ said Stephen Bonner, deputy commissioner at the ICO. ‘This is entirely unacceptable and should not have happened.

‘While nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyber-attacks,’ he continued. ‘Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same. Time and time again, we see breaches that would not have happened if such mistakes were avoided.’

However, measures taken by Hackney Council since the attack were deemed adequate enough to avoid a substantial fine and instead a formal reprimand has been issued. The authority has also taken issue with the conclusion that more could have been done, and said the ICO had ‘misunderstood the facts and misapplied the law’ in judging the case. In order to protect its stretched budget, though, an appeal will not be launched. ‘We do not believe it is in our residents’ interests,’ a spokesperson said. 

‘This was a deplorable attack by sophisticated, organised cybercriminals, coming at a time when we were responding to the first wave of the covid pandemic,’ said Hackney Mayor, Caroline Woodley. ‘While we do not agree with all the ICO’s findings, the completion of the investigation means we can focus on our ongoing efforts to keep data secure and deliver the vital services that our residents rely on. We deeply regret the impact that this senseless criminal attack had on Hackney residents and businesses.’

Last week, we reported on digital vulnerabilities exposed within electric vehicle rapid charging technologies. 

Image: Viktor Forgacs