Editorial

Hackney Council faces ICO after refusal to answer questions over 2020 cyberattack

Hackney Council accused of “trying to stonewall” attempts to investigate an October 2020 cyberattack

Posted 15 February 2022 by Christine Horton


A London council is being accused of “trying to stonewall” attempts to investigate an October 2020 cyberattack.

Hackney Council was attacked with Pysa, or Mespinoza, ransomware, impacting some of its online services, including housing and benefits. More than a year after the attack the council says it is “still working to recover data”.

However, the council is reportedly refusing answer questions over whether it gave staff extra cybersecurity training when they had to work from home and, if it did, whether or not everyone completed it.

Now it faces questions from the Information Commissioner’s Office (ICO), which served an information order on the council last November because it did not “give a substantive reason” for its refusal to answer questions.

It follows a Freedom of Information (FoI) request by local Liberal Democrat campaigner Darren Martin, who said he wanted “to raise awareness and help prevent future cyberattacks”.

The Hackney Gazette first reported that the council failed to respond when he asked for an internal review after Martin’s FoI request was refused. Then because the council had still not replied to emails or phone calls from the ICO after a month, the issue was referred to its legal department.

According to documents seen by the Citizen, the ICO received automated responses stating the council was busy.

If an authority does not respond to an information order, it can be treated as contempt of court.

The Hackney Lib Dems last week Tweeted that Hackney Council are “trying to stonewall our questions on the cyberattack. We need to know what happened, who is responsible and what actions need to be taken to limit the risk of this happening again.”

Causing further harm

Hackney Council said it did not have to give Martin details about its cybersecurity training, citing an exemption about the prevention or detection of crime.

The council spokesperson said it is “continuing to do everything possible to protect our systems and data, and also to support cyber resilience across the wider local government sector through sharing our learning.”

The council said it is taking a cautious approach over the details it is sharing but is “committed to being as transparent as possible”.

Said the spokesperson: “The criminal investigation into the attack is ongoing and sophisticated criminal groups continue to target all organisations. Even information that might appear low-risk may help criminals to cause further harm to the council and our residents.”

The council said an audit carried out by Mazars before the October 2020 attack concluded: “The council had appropriate arrangements in place to either prevent or reduce the likelihood of a cybersecurity breach.”