English council spent £1.1 million recovering from ransomware attack

Jason Macuray
Gloucester City Council in the West Midlands of England was forced to spend more than £1.1 million ($1.39 million) to recover from a ransomware attack in December 2021

Gloucester City Council in the West Midlands of England was forced to spend more than £1.1 million ($1.39 million) to recover from a ransomware attack in December 2021, according to the published agenda of a council meeting that took place on Monday.

The meeting followed the council receiving a formal reprimand by the Information Commissioner’s Office (ICO) for failing to prevent a cybersecurity incident that was discovered just before Christmas.

A data breach notification previously published on the council’s website said “information containing personal details of residents and members of the public … was taken in a sophisticated cyber-attack by a cyber-criminal group.”

The “sophisticated cyber-attack” was a spearphishing email, according to the published agenda, which detailed costs including bringing in specialist security consultants and software to aid the recovery, replacing key equipment, and the council migrating all of its IT systems to cloud hosting. Of the total, £250,000 ($315,000) was covered by grants from the government.

The ICO’s reprimand highlighted several failures, including the lack of a “security information and event management (SIEM) system” and failing to prevent the ransomware attacker tampering with the council’s logs, which allows them to erase “crucial evidence” and hindered both the investigation and remediation of the incident.

The lack of a SIEM “significantly restricted Gloucester City Council’s ability to effectively monitor and respond to security incidents, detect anomalous activities, and identify potential threats.”

Although the council had backup systems in place, these “were not utilised” as the council instead opted for a “full rebuild” of its systems “which significantly impacted the timeline for recovery of access to personal data.”

Part of the ICO’s reprimand regarded how the council failed to “restore access to personal data, or the systems that stored personal data, in a timely manner,” and that it was “unable to determine the data subjects at risk of harm from the incident in order to notify them.”

These were all considered breaches of the U.K.’s General Data Protection Regulations, and they come with a potential fine of to up to 4% of the organization’s global turnover.

But the ICO opted for a reprimand, noting at mitigation that council did have backups in place and that the “initial attack vector for this incident was a phishing email received from a legitimate third-party email address” rather than a specific vulnerability that the council should have fixed ahead of time.

The ICO also noted that — although they were not considered adequate — there were “some systems in place for gathering and reviewing logs.”

The attack on Gloucester City Council back in December 2021 has been followed by many more impacting organizations in Britain. Ransomware attacks have been on the surge since 2020, according to the ICO’s data, and not only hit record numbers last year but look set to do so again in 2023.

There have been almost as many incidents affecting organizations in Britain in just the first half of this year as there were during the entirety of 2021 — including 64 attacks on local government within just six months, more than the 60 incidents in total that had been recorded in the three years previously.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

North Texas water utility serving 2 million hit with cyberattack

Next Post

Healthcare manufacturer Henry Schein expects platform restored this week after cyberattack

Related Posts

OfflRouter Malware Evades Detection in Ukraine for Almost a Decade

Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015. Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform. "The documents contained VBA code to drop and run an executable with the name 'ctrlpanel.exe,'"
Read More

Critical Flaws in CocoaPods Expose iOS and macOS Apps to Supply Chain Attacks

A trio of security flaws has been uncovered in the CocoaPods dependency manager for Swift and Objective-C Cocoa projects that could be exploited to stage software supply chain attacks, putting downstream customers at severe risks. The vulnerabilities allow "any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and
Read More