In recent years, UK councils have become prime targets for cybercriminals, with 2024 witnessing a surge in high-profile cyber-attacks. From ransomware encrypting sensitive data to distributed denial-of-service (DDoS) attacks disrupting public services, local authorities are facing an ever-growing digital threat.
Notable incidents include the Middlesbrough Council attack, which caused temporary website outages, and the Leicester City Council ransomware breach, which resulted in the exposure of residents’ sensitive personal information. Even as far back as 2020, the Hackney Council cyber-attack demonstrated the devastating impact of weak cybersecurity measures, leading to prolonged service disruptions and a massive data leak.
These incidents underscore the urgent need for local authorities to adopt proactive cybersecurity strategies. Protecting sensitive data and maintaining public trust are not just technical challenges but also critical responsibilities for decision-makers in local government.
Details of the threats and key trends
The digital transformation of local council services has brought new efficiencies but also heightened exposure to cyber threats. Cyber-attacks on councils range from ransomware infiltrations, where sensitive data is encrypted and often leaked, to DDoS disruptions, which flood systems with traffic and make online services inaccessible.
For public sector organisations, these attacks are particularly damaging. Data breaches compromise residents’ sensitive information, service interruptions disrupt daily operations, and public trust is eroded. In 2024 alone, several high-profile attacks underscored these vulnerabilities, including:
Middlesbrough Council (2024)
In November 2024, a distributed denial-of-service (DDoS) attack temporarily disrupted Middlesbrough Council’s online services, preventing residents from accessing critical resources. While DDoS attacks are considered “low sophistication,” their ability to flood servers with traffic highlights the disruption even minor breaches can cause. Though no sensitive data was compromised, the attack serves as a warning that public-facing systems need better defences to ensure availability.
Leicester City Council (2024)
April 2024 saw Leicester City Council fall victim to a ransomware attack perpetrated by the Inc Ransom group, which claimed to have stolen 3TB of data. The group leaked highly sensitive documents, including passports, bank statements, and other personal records, after ransom negotiations failed. The attack caused significant disruptions to services such as waste collection, school admissions, and birth registration appointments, leaving residents and staff vulnerable to fraud and identity theft.
Hackney Council (2020)
One of the most devastating council cyber-attacks to date targeted Hackney Council, where hackers took advantage of weak passwords and outdated systems to access and encrypt 440,000 files, placing the personal data of 280,000 residents at risk. A portion of the data, including highly sensitive personal information, was also exfiltrated. The attack caused widespread disruption, with some council services remaining offline until 2022, and resulted in a reprimand from the ICO. This incident highlights how critical failures, such as neglecting security patches and enforcing robust password protocols, left the council vulnerable to an otherwise preventable breach.
These individual incidents are part of a broader trend of ransomware groups targeting public sector organisations. Attackers like Inc Ransom use increasingly sophisticated techniques, such as double extortion, where they both encrypt data and threaten to release it if their demands are not met. This tactic puts councils under immense pressure, as they must weigh the potential costs of a ransom against the fallout of exposed data and disrupted services.
Globally, public sector organisations are particularly appealing to cybercriminals due to several factors:
- Critical data: Councils handle sensitive information about residents, making their systems lucrative targets for identity theft or black-market sales.
- Essential services: Interrupting key functions like housing, licensing, and healthcare amplifies the impact of attacks, increasing attackers’ leverage.
- Cybersecurity gaps: Many councils operate on limited budgets, which often leaves them with outdated systems and insufficient defences compared to private-sector organisations.
The rise of state-sponsored cybercrime adds another layer of complexity, with nation-state actors viewing attacks on public sector entities as a means of economic or political disruption. As these threats grow, so does the need for councils to invest in robust cybersecurity measures to protect their systems, data, and residents.
Common weaknesses in Council cybersecurity
So just why are local councils so vulnerable to cyber-attacks? The answer lies in a combination of constrained resources, outdated systems, and gaps in cybersecurity practices.
- Limited Budgets
Many councils operate on limited budgets, often leaving IT departments underfunded and struggling to maintain up-to-date defences. This financial strain means that critical measures, such as upgrading legacy systems or implementing advanced security protocols, are frequently delayed or overlooked. At the same time, the vast amount of sensitive data councils handle—such as personal identification records, financial details, and health information—makes them prime targets for cybercriminals seeking valuable information or opportunities for extortion.
- Lack of Protection
Key weaknesses in council cybersecurity have been exploited in numerous real-world attacks. One major vulnerability is the lack of multi-factor authentication (MFA), which allows attackers to easily exploit stolen or compromised credentials. Inadequate patch management is another issue, as seen in Hackney Council’s failure to address known vulnerabilities, leaving systems open to attack.
Similarly, weak password practices, including the use of default or reused credentials on dormant accounts, provide cybercriminals with easy access points. Compounding these issues is the lack of proactive system monitoring, which delays the detection of suspicious activity and allows attackers more time to cause damage.
These gaps are not merely theoretical risks; they have had tangible consequences. In Hackney’s case, attackers exploited weak passwords and unpatched vulnerabilities to compromise sensitive data and disrupt services for years. Similarly, Leicester City Council suffered significant fallout after attackers exploited security gaps to exfiltrate and leak highly personal information. Without addressing these systemic issues, local councils will remain easy targets, putting their data, services, and public trust at ongoing risk.
Lessons learned and best practices for Councils
To prevent future cyber-attacks, councils need to implement a multi-layered cybersecurity approach that addresses both technical and human vulnerabilities. The following steps are crucial for building resilience against threats:
- Implement Multi-Factor Authentication (MFA)
MFA adds an extra layer of protection by requiring users to verify their identity through multiple methods, such as a password and a one-time code. This simple measure significantly reduces the risk of unauthorised access, even if credentials are compromised. - Regularly update and patch systems
Applying critical security patches promptly closes known vulnerabilities that attackers can exploit. Councils should establish strict timelines for patch management and prioritise updates for systems that handle sensitive data. - Strengthen password policies
Weak or reused passwords are a common entry point for attackers. Councils should enforce strong, unique passwords for all accounts, particularly administrative or privileged ones, and encourage regular password changes to mitigate risks. - Train your staff
Employees are often the first line of defence against cyber-attacks. Regular training on recognising phishing attempts, social engineering tactics, and other common threats can significantly reduce the likelihood of human error leading to a breach. - Adopt advanced models
Transitioning to a zero trust model, as implemented by Hackney Council, ensures that no user or device is trusted by default. This approach minimises the risk of internal threats and makes it harder for attackers to move laterally within a network once access is gained. - Collaborate with authorities
Councils should work closely with agencies like the National Cyber Security Centre (NCSC) to benefit from expert guidance, threat intelligence, and support during and after cyber incidents. Such partnerships can also help councils stay updated on emerging threats and best practices. - Conduct regular audits
Proactive measures like penetration testing and risk assessments help identify weaknesses before attackers can exploit them. Regularly auditing systems ensures that councils can address gaps and improve their defences over time.
By implementing these strategies, councils can not only protect their systems and data but also build public trust by demonstrating a commitment to cybersecurity.
Strengthening cybersecurity in local government
Local authorities must act now to safeguard their systems and data against increasingly sophisticated threats. In-house resources may be limited, but councils can seek external expertise to bolster their defences.
Ongoing cybersecurity training for staff is crucial to creating a culture of vigilance and preparedness. By investing in comprehensive security measures and collaborating with national agencies, councils can protect their data, maintain public trust, and ensure the continuity of essential services.
Final thoughts
The recent wave of cyber-attacks on UK councils underscores the critical need for comprehensive cybersecurity measures across all areas of local government. From Middlesbrough’s service disruption to Leicester’s devastating data breach and Hackney’s prolonged fallout, these incidents vividly illustrate how unchecked vulnerabilities can result in severe operational, financial, and reputational damage.
To safeguard sensitive information and maintain public trust, local authorities must act decisively, drawing valuable lessons from these cases. Strengthening defences against the ever-evolving threat landscape is not just a technical necessity—it is a fundamental responsibility to the communities they serve. The time to prioritise cybersecurity is now – and we all have a responsibility.