I remember the date pretty clearly. It was Monday 10 February 2020 and it was not a nice time for me. I was in James Cook Hospital with a rather mysterious flu-like attack that turned to pneumonia on the right lung. At that time there were lots of rumours about an odd new SARS like virus doing the rounds, and in hindsight JCUH staff had noticed an uptick in cases that week. However, it was another virus altogether that slowly hit the North East headlines. I first became aware of it by trying to ring my social worker at Redcar and Cleveland Council to have a chat about post discharge support. But could I get through on the phone? No. By email? The server seemed to have frozen. The council switchboard told me in a recorded message loop that there was a “computer problem”. There had been a cyber-attack.
Over the weekend when few staff were on duty, unidentified cybercriminals unleashed a “catastrophic” cyber attack on Redcar and Cleveland Council, overcoming its defences and taking down the entire computer system in a matter of minutes. And now, in a special extended essay by Samir Jeraj in the New Statesman, the full story is told for the first time.
A single email
A single email with an attachment was the source of the attack. Council IT staff recognised what was going on, powered down the servers and called in the National Cyber Security Centre (NCSC). A subsequent external investigation by the council’s auditor would conclude the council had “proper arrangements and controls in place to reduce the likelihood of a cyber security breach” given the resources available.
But it was already too late: almost every computer, laptop and phone connected to the system was rendered unusable, visitors to the council website were greeted by an error message to “please try later”, and partner organisations cut off contact to avoid the contagion spreading. As a unitary council, Redcar and Cleveland runs local services ranging from bin collection and street cleaning to housing, social services and schools. All were affected.
It is a council I know well; I served on it from when it was formed from the sad breakup of the old Cleveland County in the mid 1990s until I became an early victim of the Red Wall collapse in 2019. During that time I served variously as Leader, Deputy Leader, Chair of Planning and Cabinet Member for Adult Services and I saw day in, day out, the dedication of the staff there.
It took a fortnight or so to confirm the obvious – that it had suffered a ransomware attack. Throughout this time, its IT system remained unusable, and it would take the council around eight weeks to restore a majority of services, and a further five to restore the “low-priority” data that it held. Following the attack, senior council officers quickly set up a command centre to coordinate their response, establishing new systems and governance mechanisms to cope with the lack of IT, telephones and printers.
Confidential information was kept in that room and that room alone for the first few weeks. As well as encrypting all operational data, rendering it useless, the cybercriminals encrypted the back-ups too. Staff went analogue, putting in new phone lines and reverting to pencil and paper to record information while the online services were rebuilt. As the world began to go remote due to the start of the Covid-19 pandemic, council officers continued to hold face-to-face meetings to keep each other informed of what was happening because they could not rely on email. They worked long, stressful hours, council staff later recalled in a video about the attack, and had to accept that years of their work may have been lost in the blink of an eye.
The cybercriminals said they would keep the data encrypted until Redcar and Cleveland paid them £1m. The council refused because there was no guarantee that the data would be released, and because, as noted in the minutes from a November 2021 meeting of the council’s Scrutiny and Improvement Committee, Whitehall had requested that it refuse to pay.
Eleanor Fairford, deputy director for incident management at the National Cyber Security Centre (NCSC) said:
“Deciding to pay a ransom demand is a very difficult choice for victims and one that is not taken lightly…
“Sadly, if you do pay the ransom there is no guarantee that you will regain access to your data, and seeing their scheme work can embolden criminals to try the same thing again”
Finance and legal rulings
More prosaically the council, even if it was ready to deal with the ransom theft, was simply financially unable to do so. At the time of the attack, the council’s total annual spend was £279m and it had just £5.2m in reserves, down from £25m in 2019. The administration, a mix of Liberal Democrats and independents who had taken power from Labour in the May 2019 local elections, was warned by its auditor that summer that it would run out of money by 2021 unless it cut spending and indeed, it has since made cuts, raised council tax and tried to shore up its reserves.
The council was not helped by legal rulings by the government that all dealings over possible government help remain confidential until the final day. Initially, the council costed the damage caused by the cybercriminals at around £16.4m, but was then down to a final figure of £8.7m following a external auditors financial impact assessment completed in June 2021. The government offered to give the council £3.68m in April 2021.
This prompted outrage from councillors, who had been led to believe that central government would take “full responsibility” for the cost of the attack, according to the minutes of a council meeting. The council administration would later come in for criticism for acceding to demands for confidentiality from central government and keeping backbenchers and opposition councillors in the dark over these developments.
The size of the cyber-attack problem
There will be more attacks like this one. Indeed, there have already been some reports of coordinated attacks on large councils like Hackney, Croydon and Gloucester. The central weakness of local council IT is its magnitude in dealing on a day-to-day basis with local residents, companies and other agencies. Take the recent government decision to make Council Tax rebates to offset rising energy costs. In every borough in the land this would have involved a transaction with every CT payer and his or her bank.
Similarly, the administration of Housing Benefit could mean that not just a council system becomes vulnerable, but the account details of HB recipients on the rent rolls of many hundreds of Registered Social Landlords too. The banks can tighten up their security and most do regularly, but as anyone who has to deal frequently with online banking knows, the level of security can become intimidating to anyone with only casual acquaintance of IT systems and logging in protocols.
And even though Redcar and Cleveland refused to pay a ransom demand (rightly) the newly re-encrypted details of service users prior to the attack (including mine) is still lurking out there. Thousands of compromised pieces of information available for sale to criminals operating on the dark web is connected to councils and universities across the North East and North Yorkshire region, a recent investigation has revealed. The investigation by Darlington based Bondgate IT found that over 15,000 pieces of potentially damaging information originating from nine local authorities in the region are currently for sale on the dark web.
Garry Brown, managing director of Bondgate IT, said:
“This underlines the sophistication of cyber criminals as information listed for sale on the dark web has the potential to bring down entire IT systems and cost organisations millions of pounds. The origins of most breaches are not malicious but are caused unintentionally by those working within an organisation. The danger is that a hacker accesses a staff member’s email and their contacts. It is then easy to steal their identity, gain commercial insights, circulate malware and ransomware, issue instructions to release funds and access sensitive information.”
And with war raging, the stage is set, I believe, for more massive data outages. Is there an answer? Not really. While local governments can put in the precautions they can afford, they may also need, says Samir Jeraj, to plan for the worst-case scenario: running a 21st century organisation on analogue alone.