Lewisham Council IT system hacked

The place for serious discussion, announcements and breaking news about Sydenham
Post Reply
Tom Edwards
Posts: 29
Joined: 7 Mar 2017 12:55
Location: Sydenham, London

Lewisham Council IT system hacked

Post by Tom Edwards »

Hi all

This may not affect too many people on here but maybe something to be aware of if you receive housing benefits, council tax amongst others. I received a letter from the council yesterday. Apparently they've known about this since April.

http://www.newsshopper.co.uk/news/16406 ... al-hacked/

Tom
JGD
Posts: 1089
Joined: 5 Feb 2018 11:39
Location: Perry Hill, SE6 (yup - that's Bellingham Ward, includes Bell Green and is distinct from Sydenham)..
Contact:

Re: Lewisham Council IT system hacked

Post by JGD »

Good pick-up Tom

Further information here:

http://data-advice.lewisham.gov.uk/

The answer to Q4 is evasive and positively specious. Even if the act of illegally accessing the data caused corruption the digital team responsible should and would have a summary of the data if not detailed knowledge of what had been extracted from their core in-house systems.
4. Why can’t you be more specific about the impact or the data in question?
The unauthorised access to the IT storage portal resulted in the corruption of the data. The investigation continues, but this is a complex issue and it may never be possible to know exactly what data could be affected.
stuart
Posts: 3432
Joined: 21 Sep 2004 10:13
Location: Lawrie Park
Contact:

Re: Lewisham Council IT system hacked

Post by stuart »

JGD wrote:The answer to Q4 is evasive and positively specious.
Or just confused?

It describes it as a ransomware 'attack'. If so, then it is unlikely that any useful data has been leaked. These attackers are only interested in getting some dosh for the encryption key as part of a scattershot campaign. As the data appears to be a duplicate subset of the core system then it isn't a data loss and there is no reason to pay.

Of course there is a small chance the attack was used as a cover for more devious purposes but it is much more likely to point to some carelessness on clicking on an email attachment or similar on an insecure system [Windows laptop?].

So probably nothing to worry too much about at this stage apart from the career of the clicker ... and the IT person who let them download the data. And a potential breach of GDPR?

Stuart
John H
Posts: 278
Joined: 17 Aug 2017 18:15
Location: Sydenham

Re: Lewisham Council IT system hacked

Post by John H »

Serves them right for outsourcing. This is the inevitable consequence. The removal of the essential IT/IS skills from the authority and the privatisation of the function was ill advised and they were advised it was.

For decades these systems were 100% secure. The advice of the technical experts employed by the authority was not to proceed down a certain path. The response was to privatise their functions and do it anyway.
stuart
Posts: 3432
Joined: 21 Sep 2004 10:13
Location: Lawrie Park
Contact:

Re: Lewisham Council IT system hacked

Post by stuart »

John H wrote:Serves them right for outsourcing.
Are you sure? The statement refers to 'our digital team' which would imply otherwise unless their attempt was to mislead.

Stuart
JGD
Posts: 1089
Joined: 5 Feb 2018 11:39
Location: Perry Hill, SE6 (yup - that's Bellingham Ward, includes Bell Green and is distinct from Sydenham)..
Contact:

Re: Lewisham Council IT system hacked

Post by JGD »

Stuart

I think on balance that you are right to highlight that confusion plays a part here.

However with good methodology and and a measure of trust that there was adherence to mandatory control systems, that state of confusion should be at a minimum.

And of course it can be additionally difficult for the authority to know what was accessed, copied and when. But forensic analysis should be able to determine when and if these events occurred.

It should be noted that Lewisham and its arms-length housing management organisation have track record of failure to protect large volumes of tenant and housing data. An external contractor mislaid almost their entire database in un-encrypted form some years ago.

It is my recall that the ICO required the authority to provide written assurances that steps would be introduced to prevent future intrusion and data loss.
John H
Posts: 278
Joined: 17 Aug 2017 18:15
Location: Sydenham

Re: Lewisham Council IT system hacked

Post by John H »

stuart wrote:
John H wrote:Serves them right for outsourcing.
Are you sure? The statement refers to 'our digital team' which would imply otherwise unless their attempt was to mislead.

Stuart
They outsourced the lot many years ago. When they refer to their "digital team" they mean contractors.
Post Reply