Some systems still affected by 2021 cyber attack but information unlikely to be published, council concludes

A Gloucester City Council investigation has found that "some information may have been taken" following a December 2021 cyber-attack that led to several council systems being taken offline and the loss of its postal voter sign-ups.

The local authority did not detail what type of information may have been accessed but said nothing has been published online to date, adding that it believes publication is unlikely.

Some systems are still affected a year and a half on from the attack, but the council stated that "most" of the council systems, such as its fly-tipping reporting service and the 'Local Land Charge' service, used to carry out searches for prospective homeowners, are now repaired.

The investigation was conducted with the help of the National Crime Agency and the National Cyber Security Centre, part of GCHQ. The council also informed the Information Commissioner's Office to minimise any further risks.

In a statement on the investigation, the council said: "[We] want to advise residents that some personal information may have been taken.

"Whilst some information the city council holds about residents may have been accessed during the cyber incident, to date nothing taken has been published online and, based on advice we have received from law enforcement agencies, we believe that it is now unlikely that it will be."

Earlier this year, the Government sanctioned seven individuals associated with the criminal group thought to be involved in this incident, which was also behind several other attacks on organisations, including hospitals, schools, businesses and other local authorities, the council noted.

In August last year, the council was forced to ask postal voters to re-register as a result of the cyber-attack.

Jon McGinty, Gloucester City Council Managing Director, said: "This has been a challenging period and I want to thank our residents for their patience and understanding; I also want to thank our staff for their hard work keeping services to the public going during this period of recovery.

"I share the annoyance of the public that we were targeted in this way; this criminal group targeted our council amongst other private and public sector organisations to disrupt our public services in an attempt to extort a ransom payment from the council."

He added: "I am sorry for any concern this announcement may cause residents and members of the public, but would like to emphasise this occurred in December 2021 and based on advice received from our national law enforcement partners, the Council believes that it is unlikely that any information taken will be released in the future."

Gloucester was the victim of another cyber-attack in 2017, which saw the Information Commissioner hand the local authority a £100,000 monetary penalty after leaving employees' personal information vulnerable.

Adam Carey