Hackney councillors claim that an IT audit report can be withheld from disclosure because it is related to the investigation, prosecution or prevention of crime
Published: 13 Jan 2022 12: 45
An auditor’s report into a “devastating” cyber attack which cost Hackney Council millions of pounds has been discussed behind closed doors by politicians.
Hackers attacked the council with Pysa, or Mespinoza, ransomware in October 2020, and the following January, cyber criminals published documents on the dark web, which allegedly included personal details of council staff and residents.
The council stated that search engines could not find data and that most sensitive or personal data were not affected.
The hack cost the council millions of dollars in terms of lost income and recovery, and it was especially hard for the council to do this in the middle a pandemic.
It impacted a variety of services, including the benefit system impacting benefits assessments and land ownership searches for thousands of residents. This hit house hunters as well as sellers.
Councillors on Hackney council’s audit committee looked at the report by the IT team at auditors Mazars in private, at a council meeting on 5 January.
Dawn Carter-McDonald was the council’s monitoring official. She said that the public couldn’t hear or read the contents of the report. Dawn Carter-McDonald, the council’s monitoring officer, stated that there was an exemption in local government legislation for “information relating any action taken or planned to be taken in connection to the prevention of investigation or prosecution or crime”.
Councillor Nick Sharman, who chairs the committee, said: “This is one of the most devastating attacks that we’ve received. It’s had a harmful effect both on the council’s operations and on residents, and we certainly want to share as much information as is possible.”
He stated that he sought advice from the monitoring officer, and that there may be “possible consequences of criminality”.
Sharman said he was “sensitive” to arguments for making the contents public and would look at what information could be released.
Council services still recovering
Over a year on, revenue and benefits services are now dealing with backlogs, but social care does not have “the full set of functions” it needs to run the department normally.
In a non-confidential repot, the council’s group finance director, Ian Williams, said: “Following work performed by Mazars IT audit team, in response to the cyber attack at the council, Mazars have concluded that they are satisfied that in all significant respects, the council had put in place proper arrangements to secure economy, efficiency and effectiveness in its use of resources for the year ended 31 March 2020.”
The council stated that it is still trying to recover data from the ransomware attack. It stated that
were the most important IT services.
- Mosaic (social care)
- Academy (benefits and revenues)
- M3 – Planning and land charges )
- The delivery of digital tools that can replace the legacy system for housing
Further work needed to recover systems
A public report said: “In all cases progress has been made, but due to the severe and complex nature of the attack, there is still further work needed to fully recover services.”
In some, such as revenues and benefits processing, system recovery work is sufficiently progressed that service teams are now able begin to address backlogs that have accumulated as a result of the attack.
In other services, such as social care, service team members have access core data that has been recovered, but not the complete set of functions needed to function normally.
“There are some data sets where recovery work is still subject to technical investigation, so timelines for recovery are not yet clear,” the report said.
A report by the council’s group director of finance, Ian Williams, said: “When the attack was discovered in October 2020, immediate work was carried out to isolate the Council’s internally hosted systems and network, and to notify the national leads for cyber security.”
However, it said that risks remain that recovery work may introduce new vulnerabilities or reintroduce vulnerabilities which existed at the time of the attack. The report stated that recovery work could lead to the retention of parts of the attack that could be used in the future.
Further risks remain relating to the data stolen and published on the dark web in January 2021.
Efforts to reduce high cyber attack risks
The council rates the corporate risk of the cyber attack as red and marks it as 15, against a target of 10 on its risk register. It also said the risk to information security, including “fall out” from the cyber attack, stood at 20 against a target of nine.
The only higher risks are an economic downturn and impact of funding for special educational needs support, which is rated at 25.
A corporate risk management report said numerous external events are having a considerable impact on the council’s objectives, notably the coronavirus pandemic and the October 2020 cyber attack.