The London Borough of Hackney (LBoH) has been reprimanded by the Information Commissioner’s Office (ICO) following a cyber attack in October 2020. The breach, which saw hackers access and encrypt 440,000 files, disrupted services for months and exposed sensitive data. LBoH acknowledged that the attack “posed a meaningful risk of harm” to 230 data subjects.

LBoH has taken remedial steps since the attack, and due to their positive actions, the ICO has decided to issue a reprimand rather than impose a fine. However, there are several lessons businesses can learn from this breach to protect their own digital assets and customer information. Here are five key takeaways:

  1. Vigilance Against Dormant Accounts: One major vulnerability exploited during the attack was a dormant account with an insecure password. Regularly auditing user accounts and ensuring that any inactive accounts are promptly disabled or removed is crucial. Weak or default passwords should be avoided at all costs.
  2. Timely Security Patches: The investigation revealed that LBoH failed to maintain an active security patch management system across all devices. Regularly updating software and systems to patch vulnerabilities is essential in preventing cyber attacks. Implement automated patch management tools to ensure that none of your systems are left outdated.
  3. Robust Backup Systems: Hackney’s attackers managed to delete 10% of the council’s backups before they were stopped. This highlights the need for an effective backup strategy that includes multiple backup copies stored in different locations. Regularly test your backup restoration process to ensure it works, so data can be restored quickly and completely in the event of an attack.
  4. Response and Remediation Plans: Following the attack, LBoH engaged with national authorities like the NCSC, the NCA, and the Metropolitan Police, and took swift action to inform residents and mitigate harm. A detailed incident response plan can help you respond in an organised and prompt manner if you experience a data breach. The plan should include notifying the affected parties and engaging with cybersecurity experts to manage the aftermath.
  5. Continuous Improvement and Training: Since the attack, Hackney has adopted a ‘zero trust’ model and improved its processes. Continuously evaluate and upgrade your security measures. Employee training on recognising phishing attempts and other common threats is straightforward to implement but can be a crucial part of your defence. Stephen Bonner, Deputy Commissioner at the ICO, emphasised the importance of avoiding simple security mistakes, noting that breaches often result from basic oversights. Training can significantly reduce the risk of these happening.

By taking these lessons to heart, you can ensure your cybersecurity strategies are robust, comprehensive, and regularly updated. This will help you better protect your data, maintain customer trust, and avoid the costly repercussions of a cyber attack.

See: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/07/london-borough-of-hackney-reprimanded-following-cyber-attack/