Fraud Management & Cybercrime
,
Government
,
Industry Specific
An ‘Avoidable Error’ Enabled Pysa Ransomware Group to Encrypt 440,000 Files
The U.K.’s data watchdog agency on Wednesday reprimanded London’s Hackney Council over its failure to protect the data of nearly 280,000 town residents from a ransomware hack that resulted in attackers leaking sensitive data.
See Also: Every Second Counts: 6-Step Ransomware Remediation Guide
The attack is estimated to have cost the East London council over 12 million pounds to recover its systems. The Pysa ransomware group claimed credit for encrypting 440,000 files in the attack, which occurred in 2020.
The data published by the threat actors included Hackney residents’ personal identifiable information such as race, health data and criminal offense information.
The U.K.’s Information Commissioner’s Office, which launched an inquiry into the hack in 2020, on Wednesday issued a reprimand against the council for violating the U.K. General Data Protection Regulation.
The ICO said the council failed to process data securely, lacked appropriate safety measures to secure critical data and failed to prevent accidental data loss or tampering.
Although the ICO could have imposed a fine of 1.35 million pounds against Hackney Council, the regulator decided against levying a fine in light of a 2022 decision by the agency to exempt public sector organizations from monetary fines.
The ICO has described the incident as an “avoidable error,” and its investigation showed that the council lacked an appropriate patch management cycle program at the time of the hack.
The ICO’s analysis also found the attacker gained initial access after compromising the council’s exposed Remote Desktop Protocol, which was operating outside of the organization’s security policy.
The attackers then compromised a public access account that was created in 2005, which despite being dormant since 2012 could be accessed by the hackers using the default username and password set as “kiosk.”
To gain persistence, the attackers then exploited an unpatched Windows flaw for which Microsoft had issued a fix earlier. The hackers then compromised 125 Hackney council servers and 1,000 VDI instances.
“This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents,” Stephen Bonner, deputy commissioner of the ICO, said. “If we want people to have trust in local authorities, they need to trust that local authorities will look after their data properly.”
The ICO said the incident could have been worse. The council swiftly isolated the affected network, allowing the hackers to download only 10% of the data stored on the servers.
After the incident, the council took more remedial actions, such as requiring user accounts to have complex passwords with automatic user sign-on updates, adding auto-expire features for unused accounts, auditing systems to identify dormant accounts and deploying multifactor authentication.
The council on Wednesday disputed the ICO’s finding, saying that the regulator “misunderstood the facts” and “exaggerated the risk to residents’ data.”
“We do not believe it is in our residents’ interests to use our limited resources to challenge the ICO’s decision. Instead, we will continue to work closely with the National Cyber Security Center, central government to play our part in defending public services against the ever-increasing threats of cyberattack,” the council said.