Commentary & Insights

Rare look into city council cyber attack and consequences

Gloucester City Council’s ransomware attack case study provides insights and lessons for many

Physical assets are critical to asset-rich organisations achieving their ambitions through service delivery and revenue generation.

Gloucester City Council recognised this in their 2016-2021 asset management strategy, with car parks and investment properties identified as key sources of revenue at the time, each generating ~£2m per annum.

So what happens if the finance system—a critical component in any organisation and asset management system, relied upon to receive revenue, make purchases and pay service providers—becomes unavailable?

Well, in December 2021, ransomware struck the council. Operations were thrown into chaos, including finance-related activities.

Despite various systems being in the cloud and largely unaffected, the finance system was sited on council servers that became ransomware-encrypted.

Manual processes were needed to process purchases, pay invoices and receive payments.

Limited information was available as to what the council’s budget position was throughout the year.

All in all, an unenviable situation to be in for those charged with ensuring an organisation remains solvent.

What was the cause of the Gloucester City Council cyber attack?

Despite Gloucester City Council having invested millions of pounds into cyber security over several years, including training, a targeted email from a compromised supplier that contained a malicious link was what brought the council unstuck.

Dealings over email with trusted suppliers are something asset managers take for granted. For many organisations, a supplier sending a plan or a quote for work that’s been talked about is nothing unusual.

Unaware the supplier had been compromised, the targeted council employee clicked the link that triggered the chain of events, which led to operational chaos for months and ended up costing the council close to £1M.

In December 2023, two years after the attack, the Local Government Association, in conjunction with Gloucester City Council, released a case study providing a candid look into what happened. The document outlines the timeline of events, and discusses knock-on impacts on the operation of local leisure centres, and delivery of housing control, planning and payroll services.

Case studies like these are extremely rare. For a variety of reasons, many organisations don’t discuss the details of cyber attacks they’ve experienced in public. This preference to keep matters confidential makes it harder for others to learn about the realistic threats and consequences they face. Gloucester City Council should be commended for being open and allowing others to gain insight into what can be vexed and nuanced matters.

Included in the case study is a comprehensive set of lessons learnt that all organisations, council or otherwise, can potentially learn from.

Further insights into the attack and its consequences are laid out in Gloucester City Council’s Overview and Scrutiny Committee paper entitled Impact, Recovery and Lessons Learnt from the Cyber Attack in December 2021, available here.

Featured image: “Sunset on Gloucester Docks 3”, by kennysarmy, licensed under CC BY-NC-ND 2.0

Monthly cyber security insights, news and tips direct to your inbox

More information here. You can unsubscribe at any time. See Privacy Policy for further details.