Anatomy of a Breach

Anatomy of a Breach: Hackney Council — A London Borough Devastated by Ransomware for Months

> series: anatomy_of_a_breach —— part: 142 —— target: hackney_council —— residents: 280,000 —— recovery: 2+_years —— fine: £120,000<span class="cursor-blink">_</span>_

Hedgehog Security 31 October 2020 13 min read
ransomware hackney-council uk-breach local-government pysa public-services series
Breach #142

280,000 residents. Housing benefits delayed. Planning halted. Recovery took over two years.

On 12 October 2020, the London Borough of Hackney confirmed it had been the target of a serious cyber attack. The Pysa ransomware encrypted council systems, rendering them inaccessible and disrupting services across the borough. Housing benefit payments were delayed. Planning applications could not be processed. Land registry searches — essential for property transactions — stalled for months. Council tax records became inaccessible. Social care and housing services were severely disrupted. Staff were unable to access email or internal systems.

The impact persisted far longer than any previous UK local government cyber incident. Full recovery took over two years, with some services not fully restored until late 2022. The ICO fined Hackney Council £120,000 for processing personal data in a manner that did not ensure appropriate security. The attackers also exfiltrated and published personal data on the dark web. For UK local government, the Hackney attack was the most severe demonstration yet that council services — depended upon by hundreds of thousands of residents — are critically vulnerable to ransomware.

UK Local Government Under Siege
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Hackney joins Atlanta and Baltimore. Local government is the perfect ransomware target.

Residents Directly Affected
Unlike breaches at private companies where the impact is primarily data exposure, the Hackney attack disrupted public services that residents depend on daily — housing benefits, social care, planning permissions, council tax. For UK <a href="/blog/sector-under-the-microscope-local-government">local councils</a>, service disruption from ransomware has a direct impact on citizens' lives. <a href="https://www.socinabox.co.uk/sectors/local-councils">SOC in a Box for Local Government</a> provides the monitoring these critical services require.
Two-Year Recovery
The recovery from the Hackney attack took over two years — demonstrating that ransomware against complex local government IT environments can cause disruption measured in years, not days. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> validates recovery procedures and backup integrity. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response that accelerates recovery.
£120,000 ICO Fine
The ICO fined Hackney Council for failing to ensure appropriate security — a reminder that GDPR obligations apply to local authorities just as they do to private companies. <a href="/cyber-essentials">Cyber Essentials certification</a> demonstrates the 'appropriate security' that the ICO expects to see.
Data Published on Dark Web
The Pysa attackers exfiltrated personal data before encrypting and published it on their dark web leak site — the double extortion model that was becoming the ransomware standard in 2020. <a href="https://www.socinabox.co.uk/blog/what-is-the-dark-web-business-guide">Dark web monitoring</a> through <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects when stolen data appears on criminal leak sites.
UK Local Government Must Act

Hackney was not unique. Every UK council faces the same risk.

The Hackney attack was the most severe, but not the only, ransomware attack against UK local government. Redcar and Cleveland Borough Council was hit in February 2020 with a recovery cost exceeding £10 million. Hackney's two-year recovery demonstrated the worst-case scenario. For every UK council, the message is: invest in prevention now. Cyber Essentials certification, regular penetration testing, SOC in a Box for Local Government, and incident response capability are not optional for organisations that deliver essential public services to hundreds of thousands of citizens.

Local Government Defence

Hackney Council: two years to recover from ransomware. Is your council prepared?

<a href="/cyber-essentials">Cyber Essentials</a> establishes the baseline. <a href="/penetration-testing">Penetration testing</a> finds the weaknesses. <a href="https://www.socinabox.co.uk/sectors/local-councils">SOC in a Box for Local Government</a> monitors 24/7. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> manages the crisis.

Commission a Local Government Assessment Next: Manchester United
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 30 September 2025

Anatomy of a Breach: Jaguar Land Rover — Manufacturing Halted, Staff Sent Home, and Revenue Hit by Ransomware

Breach #201. In September 2025, UK car manufacturer Jaguar Land Rover (JLR) was hit by a cyber attack that severely disrupted production at its Halewood plant in Merseyside, forcing staff to stay home while the company responded. The incident, reportedly claimed by a group calling itself Scattered Lapsus$ Hunters, prevented car dealers from registering new JLR vehicles — during one of the busiest periods for new car registrations in the UK. JLR subsequently revealed that the attack had a significant financial impact on its revenue. The M&S and JLR attacks together constituted the most damaging year for UK corporate cybersecurity on record.

jaguar-land-rover jlr
13 min read
Anatomy of a Breach 30 April 2025

Anatomy of a Breach: Marks & Spencer — DragonForce Ransomware Costs £1.9 Billion and Hits UK GDP

Breach #196. In April 2025, Marks & Spencer — one of the UK's most iconic retailers with over 33,000 employees and an estimated 200,000 in its supply chain — was hit by a ransomware attack attributed to DragonForce, leveraging social engineering techniques associated with the Scattered Spider collective. The attack disrupted online sales, in-store contactless payments, click-and-collect services, and supply chain operations for weeks. The Bank of England confirmed the attack had impacted UK GDP growth. The estimated cost exceeded £1.9 billion ($2.5 billion), making it the most expensive cybersecurity breach in British history. The attack was linked to outsourced IT services, underscoring the supply chain dependency that has defined every major UK retail breach.

marks-spencer dragonforce
16 min read
All Posts Get in Touch