UK council yanks IT systems and phone lines offline following cyber ambush

Leicester City Council says IT systems and a number of its critical service phone lines will remain down until later this week at the earliest following a "cyber incident".

The governing body of the midlands city in England first reported issues across its services on March 7 and announced via its X channel that it had yanked a number of systems offline. A day later, it attributed the outages to a "cyber incident."

Nowadays, when organizations are as vague as this, it can mean things are worse than they're letting on.

"Cyber incident" and "encryption event" are two of the most commonly preferred phrases by public relations teams to delicately communicate a ransomware attack, although this hasn't been officially confirmed to be the case with Leicester City Council.

The Reg asked the council for clarity on the matter, including whether the digital break-in involved ransomware, and for an up-to-date statement, but it had not responded at the time of publication.

Some security experts suspect ransomware is involved, and have noticed services at the council's network border pulled offline, including Citrix Netscaler and Cisco AnyConnect VPN appliances.

A cursory scan of the major ransomware groups' leak blogs shows none of the big names are yet claiming responsibility for the attack on Leicester City Council.

Senior officials said the council is still working to fully understand the nature of the incident and that services will hopefully be restored before the end of the week.

"Over the weekend we have continued to work with our cybersecurity and law enforcement partners, as well as learning from other councils who have had attacks, to identify the nature of the incident and the steps we need to take to get our systems back online," said Richard Sword, strategic director of city developments and neighborhoods at Leicester City Council.

"We expect that it will take until at least the middle of the week before we will be able to start the recovery process, beginning with our most critical services.

"We apologize for the inconvenience this is causing. Council officers are working hard to ensure that our frontline services continue to operate with the minimum of disruption."

Emergency phone numbers have been established in lieu of full access to key council services such as adult safeguarding, child protection, homelessness, housing, and others.

Online forms for functions such as reporting child protection concerns or accessing housing services are down, leaving the emergency phone number as the only contact method.

"Cyberattacks happen a lot, they happen to councils a lot," said Eerke Boiten, professor of cybersecurity at De Montfort University Leicester, to BBC Radio Leicester. "I think the biggest damage is the day-to-day functioning of the council which is hampered until, they say, the middle of this week before they start recovery.

"We don't know how serious it is, they're not giving everything away, but it sounds serious enough that it will probably stop normal functioning in many areas for weeks."

The council concluded its brief statement about the incident by reminding the world it's not the only UK councils tthat have suffered a cyberattack in the past year. 

The reason behind making the point can be debated – trying to make the situation seem more palatable perhaps – but it's correct in saying it.

Three Kent local authorities were attacked simultaneously at the start of the year and some council services reamin disrupted. And St Helens Council also reported a suspected ransomware attack in August 2023, an incident that took the authorities months to fully restore services.

A handful of regional British councils were affected by Capita exposing an unsecured AWS bucket to the web last year too, with some seeing residents' social financial benefits information exposed.

Asked about what the attack means for Leicester city residents who handed personal data over to the council, Boiten said: "I mentioned the British Library, they've just come out with a detailed report on what actually happened in [its attack] and I think that's quite possibly representative for this type of attack. It pointed out, for example, that although people have been paying the British Library with credit cards, the credit card data doesn't live on their system and they're not allowed to keep it on their system because there are special regulations for payment data which make sure they don't, and they even actively look for it to delete it. 

"So, those are fairly standard protections in that area. Similarly, the sensitive data that Leicester City Council has – not so much the data around payments – the way more sensitive data might be in the social work corner of the council, or anything where personal circumstances get dealt with. But then again, you would expect that such data has extra protection on it so that an attack that hits the main systems doesn't automatically get into the sensitive databases that have extra levels of protection.

He added: "Leicester City Council has a good reputation for information governance, so I have some faith that the damage done in terms of sensitive data will be quite limited." ®