Essential council services are still paralysed more than two months after a cyberattack crippled Hackney’s digital systems, causing delays and uncertainty for many.
Residents have struggled to apply for trading or event licenses, join the housing waiting list, carry out property searches, or get non-urgent repairs to council homes since the attack on October 13. The council cannot change or set up direct debits, while housing benefit payments are taking longer than usual.
Councillor Rebecca Rennison, who heads up finance and housing at the council, told Eastlondonlines: “This was an advanced, criminal cyberattack which has significantly affected the services across the Council that our residents rely on.”
“I would like to apologise for the disruption this has caused to our residents and reiterate our anger that outside parties have chosen to target a public body in this way.”
Jake Moore, cyber security specialist at internet security firm ESET, told ELL the level of disruption is “rare but by no means unprecedented”. Redcar council in Yorkshire took three months to restore 90% of its services after a cyberattack in February.
A council spokesperson said it is working to repair its systems and liaising with the government, National Cyber Security Centre and National Crime Agency to investigate the crime.
It has set up as online forms for certain services as well as phone lines and emergency support. No one will be penalised for missing a payment as a result of the cyberattack.
But it is still not possible to know for certain when things will be back up and running.
“You’re on your own here”
Meanwhile, many residents feel they are being left in the dark.
Reesha Holgate, 27, submitted a suitability review for a council home in July after being in overcrowded temporary accommodation for two years. It should take at most 56 days to process, but the council has not contacted her since October.
She told ELL: “Right now, the housing officer is ignoring all my emails … there’s just absolutely no communication.”
Holgate faces spending Christmas in a one-bedroom flat with her three children, one a premature newborn. “Nothing’s been changed or told to me.”
Kathryn McGlynn, 32, has everything she needs to buy a new-build flat in Homerton – except council land searches. She told ELL her solicitors have said the searches “could come online next week or could come online in 2022”.
Property searches are so important to house sales it effectively means no property can change hands in the borough at all.
“There’s literally no guidance or indication whatsoever… I sympathise with the people working on the council [but] I just find that staggering,” McGlynn said.
As the stamp duty holiday ends at the end of March, she could be out £17,000 if the search system is not back online. The council has advised her to go ahead with the purchase and take out indemnity insurance to cover any issues. But this is likely to be rejected by lenders, especially for a first-time buyer.
Rebecca, 36, from De Beauvoir, who did not want to give her full name, told ELL she – like many others – has been unable to set up a new council tax account since she moved address.
As a result, she will have underpaid council tax by “about £3,000” by January. She worries that her tax returns will be affected if she cannot pay by the end of the financial year in April.
“They should be communicating a little bit better,” she said. “What I’m hearing is, [the council] are just saying ‘well we can’t do it. You’re on your own here’.”
“An easy target”
Hackney Council has not yet released any information on what kind of cyberattack crippled its systems. It says it does not want to prejudice the ongoing investigation.
But Moore told ELL the disruption “bears all the hallmark of a ransomware attack”.
Ransomware is a type of malicious code that takes over a computer system and prevents access to data and files until the victim pays off the hackers. A ransomware attack called WannaCry held several NHS trusts hostage in 2017 as part of a worldwide series of hacks that took advantage of outdated computer systems.
The Hackney attack could be down to similarly lax security measures, Moore said: “Councils and other local government agencies often lack funding … [for] network protection. This makes them an easy target for those looking to exploit any weaknesses.”
If stringent security policies had already been in place, services should have been restored “in a few hours”.
George Glass, head of threat intelligence at Redscan, told ELL Hackney’s predicament highlighted how vulnerable essential services can be to cyberattacks.
He thinks it is too early to say for sure whether personal data has been accessed, “without a detailed forensic investigation”. Attackers can be difficult to detect and may even try to sabotage recovery efforts.
But Hackney residents should still be “extremely vigilant” about any communications they get in case their personal data has been sold on. “The range of information held by the council could be used by attackers to send targeted phishing scams and … guess the answers to security questions.”