It was 8 February 2020 and the Covid-19 outbreak was yet to be declared a pandemic. In Yokohama, Japan, 61 of the passengers on a quarantined cruise ship were suspected of having caught the novel coronavirus. Meanwhile, in north-eastern England, a very different type of virus had struck.
At around 11am that February morning, cybercriminals unleashed a “catastrophic” cyber attack on Redcar and Cleveland Council, overcoming its defences and taking down the entire computer system in a matter of minutes. Spotlight has pieced together the events from public documents, reports and information as the council declined to participate in this story.
A single email with an attachment was the source of the attack. Council IT staff recognised what was going on, powered down the servers and called in the National Cyber Security Centre (NCSC). A subsequent external investigation by the council’s auditor would conclude the council had “proper arrangements and controls in place to reduce the likelihood of a cyber security breach” given the resources available.
But it was already too late: almost every computer, laptop and phone connected to the system was rendered unusable, visitors to the council website were greeted by an error message to “please try later”, and partner organisations cut off contact to avoid the contagion spreading. As a unitary council, Redcar and Cleveland runs local services ranging from bin collection and street cleaning to housing, social services and schools. All were affected.
“Councils, like many organisations and individuals globally, frequently face attempted cyber attacks,” councillor Peter Fleming, leader of Sevenoaks District Council and chair of the Local Government Association’s (LGA) Improvement and Innovation Board, tells Spotlight via email. “[But] in most cases, these are untargeted attacks, where malicious actors indiscriminately target devices and users regardless of the victim.”
Redcar and Cleveland Council was initially cagey about releasing all the details about the “cyber attack” to the press and public, and took 19 days to confirm what everyone already suspected – that it had suffered a ransomware attack. Throughout this time, its IT system remained unusable, and it would take the council around eight weeks to restore a majority of services, and a further five to restore the “low-priority” data that it held. Some services did continue, however: on Facebook, one resident noted that council tax payments were still being taken online by a third-party organisation.
Following the attack, senior council officers quickly set up a command centre to coordinate their response, establishing new systems and governance mechanisms to cope with the lack of IT, telephones and printers. Confidential information was kept in that room and that room alone for the first few weeks.
As well as encrypting all operational data, rendering it useless, the cybercriminals encrypted the back-ups too. The only data to avoid this fate was held on antiquated tape storage that was too obsolete to be affected by the ransomware. It contained “significant” amounts of children’s services data.
Business continuity documents that were saved digitally and not available in hard copy also could not be used. Staff went analogue, putting in new phone lines and reverting to pencil and paper to record information while the online services were rebuilt. As the world began to go remote due to the start of the Covid-19 pandemic, council officers held face-to-face meetings to keep each other informed of what was happening because they could not rely on email. They worked long, stressful hours, council staff later recalled in a video about the attack, and had to accept that years of their work may have been lost in the blink of an eye.
The cybercriminals said they would keep the data encrypted until Redcar and Cleveland paid them £1m. The council refused because there was no guarantee that the data would be released, and because, as noted in the minutes from a November 2021 meeting of the council’s Scrutiny and Improvement Committee, central government had requested that it refuse to pay.
“Deciding to pay a ransom demand is a very difficult choice for victims and one that is not taken lightly,” says Eleanor Fairford, deputy director for incident management at the NCSC. She adds that “sadly, if you do pay the ransom there is no guarantee that you will regain access to your data, and seeing their scheme work can embolden criminals to try the same thing again”.
Redcar and Cleveland was also in no position to pay the ransom. At the time of the attack, the council’s total annual spend was £279m and it had just £5.2m in reserves, down from £25m in 2019. The administration, a mix of Liberal Democrats and independents who had taken power from Labour in the May 2019 local elections, was warned by its auditor that summer that it would run out of money by 2021 unless it cut spending (the council has since made cuts, raised council tax and been able to shore up its reserves).
“Responding to a cyber attack can be incredibly challenging,” says councillor Fleming. He adds that a “multistakeholder response” has been shown to be effective in dealing with cyber attacks on local governing, bringing together support from the NCSC, the LGA, the Department for Levelling Up, Housing and Communities, and the Cabinet Office.
School admissions were an early victory for council officers at Redcar and Cleveland, with around 1,500 anxious families assured on 28 February that secondary school places would be allocated as usual and on time, despite the cyber attack.
Initially, the council costed the damage caused by the cybercriminals at around £16.4m, but by August 2020, it had reduced that to £10.4m, and then down to a final figure of £8.7m following a financial impact assessment completed in June 2021. The government offered to give the council £3.68m in April 2021. This prompted outrage from councillors, who had been led to believe central government would take “full responsibility” for the cost of the attack, according to the minutes of a council meeting. The council administration would later come in for criticism for acceding to demands for confidentiality from central government and keeping backbenchers and opposition councillors in the dark over these developments.
A later investigation led by councillors concluded that the loss of several senior officers for reasons not related to the attack may have affected the ability of the council to negotiate robustly with central government. They also noted, however, that Redcar and Cleveland is the only local authority to date to have received any money from central government (that was not a loan) to deal with the aftermath of a cyber attack.
“It’s essential local authorities treat cyber security as a priority and take action to protect their systems, secure sensitive data and practice incident response plans in case the worst happens,” says Fairford. She encourages councils to use the NCSC’s free Active Cyber Defence services and to follow NCSC guidance to help them run smoothly.
“Ten years ago, cyber security was a niche, technical topic,” says Fleming. “The last decade was the first decade since the Second World War that civil institutions in the UK [have come] under regular attack from foreign actors.” He adds that this means cyber security requires investment in skills and technology, and a change in “mindset and culture”, particularly in local government providing vital services to vulnerable people. He says the LGA is supporting councils to explore and improve their cyber security culture through a new LGA Cyber 360 programme. Fairford, meanwhile, says the NCSC works closely with local authorities to advise on cyber security best practice and offer expert advice on keeping systems secure.
“Following Russia’s invasion of Ukraine, cyber risk is heightened globally,” says Fleming. There have been multiple Russian attacks against Ukrainian critical infrastructure since the start of the year and the intelligence services have warned that more are likely.
“We in local government remain vigilant to the increased cyber risk,” he states. The reality is that Redcar and Cleveland may be an early warning for other councils. The London Borough of Hackney also suffered a catastrophic cyber attack in October of 2020, as did Gloucester City Council in December 2021. It is likely that others will follow. Cybercriminals are difficult to track and even more difficult to prosecute, and waves of untargeted attacks for money may increasingly be matched by targeted attacks by or on behalf of nation states as geopolitical tensions rise. While local governments can put in the precautions they can afford, they may also need to plan for the worst-case scenario: running a 21st century organisation on analogue alone.