In October 2020, Hackney Council was hit by a serious cyberattack. The attack affected many of the council’s services and IT systems. This page explains how the Hackney Council data hack happened.
In October 2020, the databases and IT systems at Hackney Council suffered from outages. At that time, the Council did not know what, if any, data had been compromised.
The Pysa/Mespinoza ransomware gang later claimed responsibility for the attack. And, seven months later, Pysa/Mespinoza claimed to have published a range of information resulting from the incident on the dark web. The stolen data reportedly included the sensitive personal data of staff and residents, such as passport documents.
The Mayor of Hackney condemned the “deplorable” actions of the cybercriminals and said he was determined to bring them to justice.
Following the hack, a statement by Philip Glanville, Mayor of Hackney said:
“Hackney Council has been the target of a serious cyberattack, which is affecting many of our services and IT systems.
“Council officers have been working closely with the National Cyber Security Centre, external experts and the Ministry of Housing, Communities and Local Government to investigate and understand the impact of the incident.
“This investigation is at an early stage, and limited information is currently available. We will continue to provide updates as our investigation progresses.
“Our focus is on continuing to deliver essential frontline services, especially to our most vulnerable residents, and protecting data, while restoring affected services as soon as possible.
“In the meantime, some Council services may be unavailable or slower than normal, and our call centre is extremely busy. We ask that residents and businesses only contact us if absolutely necessary, and to bear with us while we seek to resolve these issues.”
Two years after the hack took place, the Council was still trying to recover from the security violation.
Following the publication of the data on the dark web, the Mayor of Hackney, said:
“I fully understand and share the concern of residents and staff about any risk to their personal data, and we are working as quickly as possible with our partners to assess the data and take action, including informing people who are affected.
“While we believe this publication will not directly affect the vast majority of Hackney’s residents and businesses, that can feel like cold comfort, and we are sorry for the worry and upset this will cause them.
“We are already working closely with the police and other partners to assess any immediate actions we need to take, and will share further information about the additional action we will be taking as soon as we can.”
In 2021, an IT blunder at Hackney Council has publicly exposed the names and addresses of vulnerable women living in hostels for their own safety. The breach was only spotted when investigators at local newspaper Hackney Citizen informed the council.
Other documents were also mistakenly posted online including details of a vulnerable tenant, notes from a welfare check on a frail resident, and contact details for council estate tenants who had requested repairs (including to broken doors).
An investigation found that the breach was made possible as senior managers in the Council’s IT team had chosen the wrong privacy settings on Trello, a free online project management tool. The highly sensitive and confidential data was un-redacted.
Commenting on this privacy failure, a domestic violence campaigner said “vulnerable women could have been killed because of this. They might still be killed because of it.”
Speaking to the Hackney Citizen, one of the women affected by the breach said: “I trusted the council to protect me. When I was made homeless I was at their mercy. I thought they would keep me and my daughter safe – but this feels like a betrayal. It’s terrifying to find out that our address was on the internet for so long. I’m so angry that I don’t know what words to use, and I’m scared to even think what could have happened to us.”