Teaming up with... AVIVA

Welcome to the UKGI weekly regulation update service for Aviva ABC brokers

We hope you find the Updates useful. If you are
interested in subscribing to our affordable
ABC compliance support package, please
email us at ABC@ukgigroup.com or
call UKGI on our dedicated ABC
contact line 01925 767893.

ICO reprimands the London Borough of Hackney following a cyber attack

Link(s):London Borough of Hackney reprimanded following cyber attack

Context

The ICO has issued a reprimand to the London Borough of Hackney (LBoH) following a cyber attack in 2020, which led to hackers gaining access to and encrypting 440,000 files, affecting at least 280,000 residents and other individuals including staff. 

Key points to note and next actions

Hackers attacked LBOH’s systems, accessing, encrypting and in some cases exfiltrating records including personal data. Of the affected records, 9605 records were exfiltrated and LBoH acknowledged that the attack “posed a meaningful risk of harm” to 230 data subjects.

The hackers encrypted the data and then deleted 10% of the Council’s backup before the council managed to intervene. The attack resulted in LBoH’s systems being disrupted for many months and, in some instances, services were not back to normal until 2022. LBoH was unable to deal with Freedom of Information and subject access requests. ICO received 39 complaints from individuals who had submitted a subject access request between August and October 2020 but who had not received an appropriate response.

The ICO’s investigation into the data breaches found a lack of proper security and processes to manage personal data. LBoH failed to ensure that a security patch management system was actively applied to all devices, and failed to change an insecure password on a dormant account still connected to the Council’s servers, which was exploited by the attackers. ICO commented that this was a clear and avoidable error by the Council, which was unacceptable and should not have happened.

  • Action point: Ensure that all IT systems security measures apply to the entirety of your systems and that there are no gaps or weaknesses that can be exploited

Steps taken since the attack have included ensuring all residents were informed, including specific contact with people deemed to be at significant risk. LBoH has also implemented a “zero trust” model – one which operates the “never trust, always verify” principle – to provide resilience against future attacks. Had these actions not been taken, LBoH would have had a fine imposed on them.

  • Action point: Consider adopting a similar ‘zero trust’ model as outlined above.