In the early hours an IT engineer raced into work through the dark, wintery streets of Redcar in north-east England. The dash was prompted by a worrying alert about the council's computer network, and he was soon hurriedly shutting down servers to try to halt the spread of a virus. It was too late. Hackers had scrambled Redcar and Cleveland Council's IT systems andwould soon demand paymentto restore it. The cyber-attack in February 2020 caused chaos, disrupting everything from bin collections to social services and decisions about how to keep vulnerable children safe. "I got a phone call to say: we've been hit," recalls Mary Lanigan, then leader of the council. "The destruction of our systems was total." In recent weeks, cyber-criminals have targeted major retailers including M&S and the Co-Op, leading to empty shelves and breaches of customer data. But the former head of the National Cyber Safety Centre (NCSC), Ciaran Martin, said his "biggest cyber-security worry" was the threat of simultaneous attacks on public services, like councils and hospitals, which had the potential to "wreck lives". The BBC has been investigating how the attack on Redcar and Cleveland unfolded, what it took to get things back to normal and the impact on local people. In the days beforeSaturday 8 February 2020, an email with a seemingly innocuous attachment arrived in a council inbox. Hidden inside was a piece of malicious software that would lie dormant in the council's network until it was activated remotely. Within a few hours of that activation it had spread throughout the computer system, locking staff out and scrambling files. By11:00 GMT on Saturday,local residents began to notice the council website was offline. "There wasn't a lot we could do," Mrs Lanigan said about efforts to stop the virus. "You had to be practical, so it was actually getting more phones in there so that people could ring us." News was spreading, but Mrs Lanigan, who lost her position in the 2023 local elections, claims she received pressure from council officials and central government not to speak out. The council declined to be interviewed about the attack but said there had been no pressure or instruction not to speak publicly, either at the time or since. What Mrs Lanigan did not say in 2020, but admits now, was the council was dealing with a crisis. "It was devastating," she said. "Devastating for us, for the staff, for the public and for everybody else." They had lost the ability to share information with police and the NHS, while social services and elderly care services were knocked out, she said. "Even somebody ringing up and saying 'my bin hasn't been emptied' wasn't dealt with." Cyber Siege: From Russia to Redcar The inside story of a council in north east England was held to ransom by a dangerous gang of cyber-criminals. Watch now on BBC iPlayer (UK Only) By the morning ofMonday 10 FebruaryIT staff were desperately going from desk to desk, placing infected computers in a growing pile. "When we saw how much damage had been caused we realised it would probably take weeks, maybe years to do," said IT worker Ben Saunders. At the same time, experts at the NCSC - part of GCHQ - were considering the council's plea for help. Mr Martin, who was the NCSC's chief executive at the time, said it was "unusually serious". "If a council are telling you they are worried about their ability to run services for vulnerable children, you take that very seriously." It was feared social workers, tasked with keeping young people safe, would struggle to do their jobs without access to the online records they relied on to help inform difficult decisions. In what Mr Martin called an "unusual" step, NCSC officers were deployed to Redcar. OnTuesday 11 February– the second working day after the attack - hackers made their ransom demand. The exact figure has never been made public, but Mr Martin said that, based on similar attacks, it was likely to have been in the "low single figure millions of US dollars". The current government is considering a ban on the public sector paying ransoms to hackers but, while it is the guidance, there was no formal ban in place in 2020. Regardless, Mrs Lanigan was in no mind to cough up. "I'm a Yorkshire woman and the thing being about that is there was no way I was paying any ransom to anybody." The following day,Wednesday 12 February, the government held a Cobra meeting, designed to co-ordinate the response to major emergencies. "That's when you realised just how serious it was," the former council leader said. "It wasn't just some hacker sat in a bedroom having a play with computers." While the system was being rebuilt, the council turned the clocks back andreturned to using paper and pen. Many functions ground to a halt or were dramatically slowed down. Redcar husband and wife Paul and Clare were "very reliant on the council" at the time. Clare needed support from care workers and specialist equipment to help with a debilitating condition called functional neurological disorder. "You'd be waiting on the phone for hours," Paul said. "When people were coming it was handwritten notes, so the systems weren't getting updated. It was a real nightmare." The couple waited many months before they got the support they needed. In the meantime, Paul had quit his job to care for his wife. All the while staff continued to work on getting the council back online and within a few weeks a temporary system for social services had been restored. ByMay 2020the council said it wasstill only back to 90%, with the system taking 10 months to be fully restored. "Some of it was able to be recovered; a lot of it was needed to be built from scratch," said Mr Saunders. "It was a very meticulous, very long process." Yet it took several years before evidence emerged suggesting who was behind the cyber-attack. InFebruary 2022, one of the world's most prolific ransomware gangs, the Russia-based Conti Group, fell apart. After Russia invaded its neighbour, pro-Ukrainian hackers leaked the group's private messages and data, revealing details of some of the most dangerous cyber-criminals. A year later, inFebruary 2023, a group ofRussian hackers were sanctionedby UK and US government over a string of attacks on businesses, schools and councils, including Redcar and Cleveland. Earlier that year, Mrs Lanigan gave evidence in Parliament about the attack. She said the response hadcost £11.3m and they had received £3.68m compensationfrom the government. As the authority was not insured for the attack, the difference had to be taken from its limited reserves. A council spokesman said that while it had general insurance cover, it still did not have a specific policy which covered a cyber-attack. They said a recent inspection by external auditors found that at the time the council had had proper arrangements and controls in place to reduce the likelihood of a cyber-security breach. But it is far from the only council to face such an attack. According to the Information Commissioner's Office, there were 202 ransomware attacks on local authorities in 2024. The government said it was "taking action to protect local councils by providing funding to increase their cyber defences". But Mr Martin fears the attack on the council, and other public services, could have "shown hostile nation states how to disrupt our society". "Redcar and Cleveland was a crisis," he said. "What about 10 Redcar and Clevelands at the same time? What about a hundred of them? That's not inconceivable."
The inside story of a council held to ransom in cyber-attack
TruthLens AI Suggested Headline:
"Cyber-Attack Disrupts Services at Redcar and Cleveland Council"
Bbc News
7.8
TruthLens AI Summary
In February 2020, Redcar and Cleveland Council in north-east England faced a devastating cyber-attack that crippled its IT systems and disrupted essential services. The incident began with a seemingly innocuous email attachment that contained malicious software, which was activated remotely and quickly spread throughout the council's network. As IT staff scrambled to contain the damage, council leader Mary Lanigan recalls the chaos as the council lost access to vital information systems, impacting everything from social services to waste collection. The attack not only hindered the council's ability to communicate with police and the NHS but also left local residents unable to receive basic services, illustrating the far-reaching consequences of such cyber incidents. The severity of the situation prompted urgent intervention from the National Cyber Security Centre (NCSC), with officials recognizing the potential risk to vulnerable populations depending on council services.
As the council grappled with the fallout, hackers issued a ransom demand that was estimated to be in the low millions, a figure that the council ultimately refused to pay. Instead, they reverted to using manual processes, which significantly slowed operations and left many residents, such as those needing care services, in distress. The recovery process proved to be lengthy and complex, taking nearly a year to fully restore the council's IT systems and costing over £11 million, with only a portion covered by government compensation. The attack not only highlighted vulnerabilities within public sector cybersecurity but also raised concerns about the broader implications of coordinated cyber-attacks on essential services. Experts warn that similar incidents could disrupt multiple councils simultaneously, posing a severe threat to public safety and service delivery across the country.
TruthLens AI Analysis
The article delves into a significant cyber-attack that targeted the Redcar and Cleveland Council, highlighting the chaos that ensued and the subsequent challenges faced in restoring services. The narrative emphasizes the vulnerability of public institutions to cyber threats, an issue that resonates widely in today's digital landscape.
Purpose of the Publication
This piece aims to inform the public about the severity of cyber threats against local councils and public services. By detailing the attack's impact on everyday operations, such as waste collection and social services, it underscores the potential risks posed by cybercriminals. The article seeks to raise awareness about cybersecurity issues, particularly in the context of public sector vulnerabilities.
Public Perception
The report is likely intended to foster a sense of urgency and concern within the community regarding cybersecurity. It portrays the council's struggle to manage the aftermath of the attack, highlighting the need for improved security measures in public institutions. This could lead to increased public demand for better protection and resources allocated to IT security.
Potential Concealments
While the article focuses on the cyber-attack, it may be diverting attention from other underlying issues within the council, such as budget constraints or previous neglect of IT infrastructure. By concentrating on the incident, it may gloss over systemic problems that contributed to the council's vulnerability.
Manipulative Elements
The article employs a narrative that evokes fear and urgency, which can be seen as a manipulative tactic to push for greater investment in cybersecurity. The language used emphasizes the catastrophic effects of the attack, aiming to provoke an emotional response from readers.
Truthfulness of the Article
The report appears to be based on factual events, with firsthand accounts from officials involved in the crisis. However, the framing of the story and the emphasis on specific aspects may lead to a skewed perception of the overall situation.
Societal Implications
The implications of such cyber-attacks extend beyond immediate disruptions. They can lead to calls for regulatory changes, increased funding for cybersecurity initiatives, and a reassessment of how public services manage digital threats. This could ultimately reshape local government strategies regarding IT infrastructure and crisis management.
Target Audience
The article is likely aimed at a broad audience, including local residents, government officials, and cybersecurity professionals. By addressing public concerns, it seeks to engage those interested in the safety and effectiveness of local governance.
Impact on Financial Markets
While this specific incident may not have immediate effects on stock markets, it highlights vulnerabilities that could influence investor confidence in public sector stability. Companies involved in cybersecurity solutions could see increased interest as local governments may seek to bolster their defenses.
Geopolitical Relevance
In a broader context, this story reflects ongoing concerns about cybersecurity on a global scale. As cyber threats increase, the balance of power in both political and economic arenas may be affected, particularly in how nations approach cybersecurity legislation and international cooperation.
Use of AI in Reporting
There is a possibility that AI tools were used in researching or drafting the article, especially in analyzing data or summarizing information. These tools could have influenced the narrative structure, emphasizing certain aspects of the story while minimizing others.
Overall, the article serves as a critical reminder of the vulnerabilities present in public sector IT systems and the need for urgent action to safeguard against future threats. The framing of the story, while largely factual, may also project an urgency that seeks to influence public opinion and policy decisions regarding cybersecurity.