Information Commissioner reprimands city council over cyber attack

The Information Commissioner has reprimanded Gloucester City Council over its response to a ransomware attack in December 2021, which led to several council systems being taken offline and the loss of some personal data.

Some systems remained affected more than 18 months after the attack.

Gloucester should have had appropriate technical and organisational measures in place including the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the Commissioner said.

A forensic report after the incident found Gloucester did not have a centralised logging system or a security information and event management programme in place.

“This significantly restricted Gloucester City Council’s ability to effectively monitor and respond to security incidents, detect anomalous activities, and identify potential threats,” the Commissioner said in its reprimand.

After the ransomware attack, it became apparent that those responsible had successfully deleted logs and erased crucial evidence, which hindered both the council’s investigation and remediation of the incident and also prevented its early detection through the log review process in place with a supplier.

“Industry standards and best practice cover the requirement that logs be protected from tampering,” the commissioner said. “[The council] failed to prevent such tampering and, when combined with the lack of centralised logging systems or appropriate log review processes, this hindered [its] ability to detect and recover from this incident.”

The Commissioner criticised Gloucester’s failure to restore access to personal data in a timely manner and its inability to determine and notify data subjects at risk of harm from the incident.

Processes to determine what data had been compromised were “reliant on ad-hoc systems and processes “including downloading data through the home wi-fi networks of council employees".

Overall, the Commissioner found the council did not appropriately implement technical and organisational measures that would have aided in the recovery of personal data and mitigation of risks to data subjects. iIs report recommended various improvements to the IT system’s security.

Mitigating factors found included that the initial attack vector was a phishing email received from a legitimate third-party email address. No specific vulnerabilities were found to have contributed to the attacker gaining initial access to council systems.

A Gloucester City Council spokesperson said the ICO had confirmed it would not issue either an enforcement notice or a fine. 

“We take on board the findings of the ICO report and confirm that all of the recommendations either have been or will be met, as we continue to work tirelessly to rebuild and improve the IT systems and security, business continuity processes and staff training,” the spokesperson said.

“We’d like to reassure residents that while some information the city council holds about them may have been accessed during the cyber incident, nothing taken has been published online and, based on advice we have received from law enforcement agencies, we believe that it is now unlikely that it will be.”

Mark Smulian