Lewisham Council has announced that cyber criminals gained unauthorised access to "an IT storage portal" in April that was being used by its digital team for data analysis as part of a homelessness project, and possibly gained access to financial information of over 6,000 residents of Lewisham borough.
Breach exposed financial data of Lewisham residents
According to Lewisham Council, the compromised IT storage portal was not connected to its core IT system but contained confidential personal and financial records of thousands of citizens who either used the council's housing benefit services or were childminders.
Personal data stored in the storage portal also included data derived from Council areas such as council tax and housing benefits, adult social care, education, planning, and housing. The Council has not been able to accurately assess how much data was stolen by the criminals, who the hackers are, or if any stolen data was used inappropriately.
Lewisham Council added that it had not detected the breach until it suffered a ransomware attack on 24 April that accompanied a note from hackers informing the Council about the breach along with the demand for payment of ransom.
"As soon as we identified the unauthorised access, we appointed a dedicated team to carry out a thorough investigation. We have been working hard to gather as much detail as possible about what happened. The investigation continues and, although there is no evidence that the data has been used inappropriately, we are telling residents about it as a precaution.
"We are taking this matter very seriously and are working with our partners, the appropriate regulators and the relevant government departments, including the National Cyber Security Centre (NCSC) to do everything we can to support those whose data is potentially affected.
"This matter occurred outside our IT network, which remains secure, and the core IT system is unaffected. We are working with a team of experts to review our security processes. We have already implemented a tightening of our security controls," the Council added.
Perimeter security remains a major concern
Commenting on the unauthorised access of a storage portal used by Lewisham Council, Naaman Hart, Managed Services Security Engineer at Digital Guardian, said that it’s concerning that Lewisham Council is unable to fully diagnose what data has been involved. Yet another government department has fallen victim to ransomware, suggesting carelessness in a time where data security needs to be taken seriously.
"A perimeter approach to data protection simply isn’t effective anymore. It is crucial for businesses to ensure data is automatically protected no matter where it is or where it goes, especially for public organisations that are dealing with personal, sensitive data.
"It’s inevitable that hackers will at some point breach a company’s network, so the focus must shift to preventing hackers from exfiltrating sensitive data. Deploying data-centric security technology can remove the risk factor associated with these threats because even if someone has access to the data, they are prevented from copying, moving or deleting it without approval, a useful countermeasure to ransomware attacks.
"Implementing data-aware advanced threat products – which can nullify the effects of mass encryption of files – and maintaining a robust backup policy allowing the recovery of any encrypted files, are two other proactive steps that can be taken to strengthen your position against ransomware. Know your data, prevent unauthorised data use or alteration, and ensure you have a solid recovery mechanism," he added.
Lack of seriousness about cyber security
The lax approach taken by local councils across the UK towards cyber security has, time and again, been exposed either by reports of large-scale data breaches, successful ransomware attacks, the disclosure of sensitive information to phishers, and successful malware intrusion into IT systems.
Earlier this year, a report from privacy group Big Brother Watch revealed that since 2013, local councils across the UK suffered as many as 98 million cyber attacks, averaging 37 cyber-attacks every minute.
In all, 114 local councils, or nearly one in every three in the UK, suffered at least one cyber incident in the last five years, totaling 376 such incidents since 2013. 56 percent of affected councils did not report breaches suffered as a result of cyber attacks, thereby avoiding embarrassment and possible imposition of fines by the ICO.
As far as providing cyber security training to employees was concerned, the report from Big Brother Watch observed that while 297, or 75 percent of all local councils, did not provide mandatory training, 62 councils did not provide any cyber security training at all.
"With shrinking budgets and most councils struggling just to keep the lights on, cybersecurity is surely the last thing on their mind, especially when they have to decide whether to hire vital staff or choose on upgrading software to keep them patched with the latest security updates," said Joseph Carson, Chief Security Scientist at Thycotic.
"Just like many organisations the focus is on the business and if cybersecurity is not adding value then it is a cost and for most, they are willing to sacrifice being the victim of a cyber-attack versus letting staff go.
"So, the news that many councils have been breached in the past five years is not surprising and that cybercriminals are targeting employees, stealing passwords, compromising accounts to bypass security controls is a challenge most organisations are facing globally and not unique to the UK," he added.