Cyber security whizz Graeme Stewart said an attack on a local authority could harm the most vulnerable and speculated the involvement of the Information Commissioner’s Office could indicate a data breach
Two London councils targeted in a cyber attack have probably experienced a “far more serious” incident than they are currently letting on, a security expert has warned. Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council, which share some IT infrastructure and serve 360,000 residents, said the assault had affected systems across both local authorities.
The incident started on Monday (November 24) and engineers worked through the night before memos went around other London councils warning of a threat early on Tuesday morning (November 25). On Tuesday night RBKC said experts from the National Cyber Security Centre (NCSC) were helping with a focus on protecting data, restoring systems, and maintaining critical services.
The latest memo sent around RBKC, seen by the Local Democracy Reporting Service, shows the council has cut off internet access and asked staff to work from home. The note says staff can continue to access Microsoft Teams and Outlook and the guest Wi-Fi and mobile hotspots in the office but it is not predicting a full return of all affected systems “for some days”.
Graeme Stewart, director of public sector at Check Point Software, told MyLondon: “The telling bit in this is the Information Commissioner’s Office (ICO). That’s your clue when you look at a cyber attack that it’s more serious… No one is going to basically contact the ICO unless it’s serious and it involves section 108. So the inference you can make is there has been some kind of data loss.”
Section 108 of the Data Protection Act 2018 requires the data controller to notify the Commissioner of a personal data breach as soon as they become aware of it. Mr Stewart also said involving the Metropolitan Police Cyber Unit and the NCSC, an arm of UK Government spying agency GCHQ, are also signs suggesting the attack “must be quite serious”.
“A lot of this is extrapolation on my part, but particularly the bit in your report that said ICO, Met Police, and NCSC would lead me to believe that this is far more serious than they’re letting on,” he added.
Mr Stewart, who has been dealing with incidents like this for more than 25 years, said he still found it “sickening” that hackers are willing to target the most vulnerable in society. “The most vulnerable get disproportionately affected by the these things because they disproportionately use local government services,” he added.
If a local authority’s systems are compromised due to a ransomware attack, it can have knock on effects for people with care needs and has even been known to contribute to deaths, like at King’s College Hospital NHS Foundation Trust where thousands of treatments, operations, and appointments were affected and a patient death was directly linked to the incident.
Mr Stewart suggested ‘threat actors’ could be drawn to targeting the richest London boroughs as they have the most money to spare. But he added security services policy still runs to ‘We do not negotiate with terrorists’, and any organisation that is part of the Critical National Infrastructure will soon be banned from paying up by new Home Office legislation.
Even if an organisation refuses to pay, the cost of recovering a system can run into the millions. Hackney is still bearing costs in the hundreds of thousands for agency staff and IT consultants, after a hack in 2020. The recovery cost for an 2021 attack on Gloucester Council stood at more than £1.1million in 2023. A 2020 cyber attack on Redcar cost the council more than £10million.
“These things have massive implications. It’s not just an irritation that you can’t phone up and complain that your wheelie bin hasn’t been picked up,” added Mr Stewart.
‘They’re interested in major widespread disruption’
Though RBKC have given no indication of the nature of the attack, Mr Stewart told MyLondon the worst case scenario would be a ransomware attack with a ransom running into the millions. Around the same time the Harris Academy was targeted in 2021, a hacker posted on the dark web to show they had demanded $15million dollars from an unnamed school.
Describing how ransomware works, Mr Stewart said: “It’s like a digital verruca. It buries itself in the system and at a moment of their choosing, they can go activate and that basically will take all of the systems offline and it’s really quite scary.
“I know I know people who work in other sort of public sector organisations that this happened to and it basically locks all these systems down and you get a screen presented going you need to pay us. It’s generally in Bitcoin or some other kind of cryptocurrency because it’s untraceable.”
Mr Stewart said ‘threat actors’ normally come in three categories: nation states like North Korea, China, or Russia; gangs sponsored by a nation state; or people just in it for the money. Typically with ransomware it involves the third group, who are the equivalent of bank robbers, except they could be based in a hotel room anywhere in the world, so you cannot just send your own police to arrest them.
Mr Stewart said the best case scenario looked like the Met Police tracking down the hackers and arresting them. Though “silence will be deafening”, perhaps indicating a state-sponsored attack, Mr Stewart said: “The likelihood of it being the Russians or the Chinese or the Iranians is pretty low… They’re not interested. This is small beer for them. They’re interested in major widespread disruption.”
Though there is currently no detail on the link between RBKC, WCC and the London Borough of Hammersmith and Fulham (who closed down some systems as a precautionary measure), Mr Stewart speculated the councils could have been targeted through a Software as a Service (SaaS) provider, an outsourced system for specific functions like payroll or housing benefit.
While this has the potential to affect other London boroughs if they also use the same software, Mr Stewart also suggested it could be: “These are probably the three richest London boroughs and someone’s just trying to pick them off.”
‘It will take something spectacular’
Asked how close we are to a pandemic-level cyber attack, Mr Stewart said: “This stuff happens every single day. And you know, organisations like mine spend our entire time battling it. And it’s only when it bubbles. The Kido [nursery hack] a couple of weeks ago was only of media interest because it had pictures of 12-month old children on it.
“They were trying to extort the money off parents. That was a new low I have to say even for these people. But this stuff happens every day. This will not be the last time this happens and we are probably a year to 18 months off a really big one.
“You think fighting in the aisles for toilet roll in during Covid… If they were to take the banking system offline, can you imagine what would happen is if they manage to take the BBC website offline?”
Asked why there had not been a huge incident yet, Mr Stewart said: “Because the cyber security community work bloody hard… it’ll have to be something spectacular, cleverly organised and cleverly done. But at some point it will happen because these guys spend their entire time probing our defences and organisations like mine spend the entire time trying to hold them off.”
RBKC spends £12m a year on IT and security systems
An RBKC spokesperson said it has now established the cause of the cyber incident and a number of “successful mitigations” are already in place, but they will not be sharing further details while investigations with the National Crime Agency and National Cyber Security Centre are ongoing.
They added: “Some systems, including phone lines, are disrupted. We’ve activated business continuity and emergency plans to ensure we are still delivering critical services to residents, focusing on supporting the most vulnerable.
“Our website is undergoing planned maintenance relating to ongoing management of the incident, so some pages may be in and out across the day and residents may not be able to use our online forms. We are working hard to bring services back online. We would like to apologise for any disruption and thank residents for their patience as we work to bring systems back online safely.”
RBKC spends over £12m annually on IT and security systems and has the very latest software and protection from Microsoft Defender. Westminster City Council, which was also impacted, was asked if it imposing similar measures but said it has no further updates to provide.
If you have an emergency and need to contact Kensington and Chelsea Council, please use the phone numbers at the top of www.rbkc.gov.uk/contact-us/call-or-email-us.
Want to contact Callum about a story? Please email [email protected] or WhatsApp/Signal +447580255582
