Letter from London: Ransomware is wreaking havoc in Hackney
Vicki Bates, a retail worker who lives in east London, has been furloughed twice during the coronavirus pandemic and says she is owed nearly £1,000 ($1,400) in housing benefit by her local authority. She has been unable to log into her account on Hackney Council’s website since October 2020 and describes her predicament as the culmination of months of administrative errors.
“I really rely on those payments to be able to get things for my daughter,” she told me, during a telephone conversation. “We’ve got her school uniform to buy in the next couple of months. That is a large chunk of money and a bit of a worry.”
Bates is one of tens of thousands of Hackney residents — the borough is home to some 280,000 people and 10,000 businesses — who have been affected by a crippling ransomware attack on the council’s website. (In the interest of full disclosure, I live in Hackney and use the website regularly.) The breach took place in October 2020, disabling a number of vital local services, including systems that allow residents to access social security benefits, and pay rent and council tax.
Over the past few years, ransomware attacks on public and private institutions, including councils, utility companies and banks, have become an increasingly common form of online terrorism. In late 2020, dozens of U.S. hospitals and healthcare organizations were hit by malicious code distributed by cyber-criminals. Security analysts said the hacks were tied to a Russian gang known as UNC 1878 or Wizard Spider
Large corporations and financial institutions have the means to pay off ransomware gangs. For example, Brazil-based JBS SA, the world’s largest meat processing company, gave the equivalent of $11m to hackers who broke into its computer system in June.
However, U.K. local authority budgets have been progressively slashed since the financial crisis of 2008, rendering most councils incapable of spending such large sums of money, even if they could get past the miles of red tape necessary to do so. Hackney has faced some of the most brutal cuts in the country: the council’s core funding from central government has been reduced by £140m ($195m) since 2010 – a reduction of 45%.
On top of that, years of underinvestment in new technologies have left many of them more or less wide open to criminal assaults that endanger vulnerable people, who rely on the digital services they provide.
The damage done by the Hackney ransomware attack highlights both the importance of local authority services — which include public housing, garbage collection and the upkeep of roads — and the parlous financial situation of many U.K. councils.
Put simply, councils are not lucrative targets. Hackney set aside £2m in last year’s budget for future cyber attacks, but the borough is also having to make almost £11m of savings this year after incurring additional costs during the pandemic. Affected areas will include education, children and families services and public health.
The council, which employs 4,500 people, refuses to pay off the attackers and has not disclosed their identity or the amount demanded. Describing the incident as a “significant threat to the organization,” Hackney Council’s head of digital and data, Matthew Cain, detailed the chaos it has caused.
“Ten years-plus of significant investment in technology was removed overnight,” he told me. “From that point, the question was not which systems were available, but what data could we find and how could we rebuild that from the ground up? We have had the best part of 200 people working on it solidly since October, which represents more than our total investment in IT in a typical year.”
To make matters worse, Hackney’s ransomware attack was quickly followed by a data leak. In January, a criminal group published the personal details of council staff and residents on the dark web. While experts said that the stolen data was “limited” and “not visible through search engines,” nine months on, digital services continue to be affected, including changes to existing benefits and council tax claims and payments.
The audacity of ransomware gangs has pushed the issue into the international spotlight. During a June summit in Geneva, U.S. President Joe Biden urged President Vladimir Putin to crack down on hackers operating in Russia. Biden warned of consequences should such activities continue unchecked.
But it isn’t just criminal gangs who are targeting government institutions. In July, U.S. and Britain announced that Russian spies accused of interfering in the 2016 U.S. presidential election have spent most of the past two years attempting to breach the digital security of hundreds of organizations worldwide. The announcement did not identify any of the targets by name, but said they included government offices, political parties, law firms and media organizations in the U.S. and Europe.
In the U.K., a number of other government institutions have been hit. The Scottish Environment Protection Agency was hit in December 2020. Repair work to its systems is still ongoing. Since 2019, Hull City Council, in the north of England, has suffered at least 10 serious incidents and thousands of phishing attempts by criminals seeking to steal login details. Ireland’s public healthcare system is also rebuilding its digital infrastructure after a May attack.
Meanwhile, council workers and residents are left counting the costs. In Hackney, this will doubtless mean less money for already strained local services, which could deepen financial instability for those most in need. “This is going to be an 18-month recovery,” said Cain. “We will do that rather than doing all sorts of other things.”
The story you just read is a small piece of a complex and an ever-changing storyline that Coda covers relentlessly and with singular focus. But we can’t do it without your help. Show your support for journalism that stays on the story by becoming a member today. Coda Story is a 501(c)3 U.S. non-profit. Your contribution to Coda Story is tax deductible.