This year cyber criminals have targeted major retailers and outlets, demonstrating the dramatic impact cyber-attacks on businesses can also have on the general public. Indeed, the NCSC (National Cyber Safety Centre) said the biggest cyber-security worry was the threat of attacks on public services. These targeted attacks have the potential to cause chaos and wreck lives.
In 2020, the cyber-attack on Redcar and Cleveland Council’s IT system disrupted the whole area’s public services, from bin collectors to social services – impacting the safety of children and vulnerable people.
A recent BBC investigation has unveiled the true extent of the attack, ultimately leading to a £11.3 million cost which was not adequately insured.
The incident:
Saturday 8th February 2020, one email with an unsuspecting attachment lay within the inbox of a Redcar council staff member. The malicious software inside was activated, and within a few hours the malware spread to the IT systems, locking out staff and scrambling files containing important irreplaceable information.
By 11am Saturday 8th February, residents noticed the council website was down. And although news spread, the council were pressured to not speak out or make comment. More than 135,000 UK residents were without their public services, losing appointment bookings and planning documents.
The Redcar council’s IT systems was completely useless. They had to allocate more phones to handle calls and continue what operation they could. Social services and elderly care services were not in operation and there were many complaints that bins hadn’t been emptied.
On Tuesday 11th February, the hackers made their ransom demand, expected to be in the millions of dollars range.
The investigation:
The council had pleaded for help from the NCSC, and by Monday 10th February, the IT team were dismantling equipment. Without access to online records, social workers would struggle to keep young people safe, and critical decision making on stalled. Council workers went back to pen and paper, residing to handwritten notes as systems weren’t being updated.
By Wednesday, the government held a Cobra meeting designed to coordinate the response. In 2020 there was yet no ban on paying ransom money to hackers, a change the new government wishes to make.
The council workers would not submit to the ransom. Within a few weeks, temporary systems were restored; however by May, four months after the incident, council operation wasn’t only back to 90%. The system took 10 months to be fully restored, causing major long-term disruption to constituents.
It took several years to determine who was behind the attack. In February 2023, a group of Russian hackers were sanctioned by the UK government. It was leaked that they had attacked UK businesses, schools and councils including Redcar.
The outcome:
The Authority did not have sufficient insurance. A spokesperson said that the council’s general insurance did not have a specific policy which covered cyber-attacks. A recent inspection by external auditors revealed that the council did have proper controls in place, yet no adequate insurance.
The response and fix to the ransomware attack cost £11.3 million, said the council leader in a recent investigation. They received £3.68 million compensation from the government – leaving over £7 million to be found.
With effective cyber insurance cover, the full £11.3 million would likely have been covered, as well as the business interruption caused by the attack, and the cost to replace the systems. This should also have spared spending taxpayers money.
According to the Information Commissioner’s Office, there were 202 ransomware attacks on local authorities in 2024.
How does this apply to my business?
This case study demonstrates the extent and prevalence of a cyber attack. The poor communication and lack of adequate insurance caused chaos, despite the council’s preparedness and positive hardworking reaction.
Learnings for business owners include:
- Having specific cyber insurance in place is essential – Cyber attacks ramifications can costs into the millions, through ransomware compensation, business interruption and system replacement.
- Proper preparedness and training – Cyber attacks are common, businesses experience hundreds of major attacks every year. Ensure your staff are trained and your business shas an effective continuity plan in place.
- Communication is critical – Businesses have an obligation to inform people if their data may have been compromised. Knowing the best way to communicate is essential to avoiding reputational damage and a PR nightmare.
