A series of major cyber-attacks have hit high-profile UK retailers this year, with the same group of hackers suspected to have targeted Harrods, the Co-op and Marks and Spencer. After the latter attack, which took place over the Easter weekend, online purchases were disrupted for months. Marks and Spencer has estimated that the incident, in which sensitive customer and staff information was stolen, will cost the company around £300m.
In May, Pat McFadden, the chancellor of the Duchy of Lancaster, described the issue as a “wake-up call” for businesses. Addressing a cyber security conference, he said that the government is “modernising the way the state approaches cyber” threats. Forthcoming legislation, the Cyber Security and Resilience Bill, is expected to introduce measures to strengthen UK plc’s defences in this regard.
But McFadden’s remarks were emblematic of a problem with the government’s approach. Local government is increasingly on the front lines of this invisible battlefield, but when it comes to cyber attacks, councils are largely ignored. And yet, with responsibility for £100bn each year—much of which is spent on vulnerable adults, schools, children with special educational needs and the homeless—councils have become an attractive target for hostile actors and cyber criminals.
The scale of the cyber threat to local government is difficult to quantify. A Freedom of Information request to the Information Commissioner’s Office by the Covert Councillor can reveal that up to 1.8m people have had their personal data accessed through cyber attacks at local authorities in the last two years.
Councils have outdated IT infrastructure and are unprepared for future attacks—even though recent incidents have been highly disruptive. In 2020, Redcar and Cleveland Borough Council became one of the first high-profile victims when the authority was paralysed by a ransomware attack. The National Cyber Security Centre was deployed and the total cost to Redcar was an estimated £10m. Essential services like social care, planning and housing were severely affected. The council’s IT systems had to be completely rebuilt.
Later that year, Hackney Council suffered a similarly devastating attack. Ransomware locked access to critical services such as housing benefit payments and sensitive personal data was later leaked on the dark web. Hackney acknowledges that its poor resilience “posed a meaningful risk to harm” to more than 200 people.
These aren’t isolated events. According to the Local Government Association, councils across England have reported rising volumes of phishing and ransomware attempts. The threat is compounded by long-standing concerns about legacy IT and underinvestment in cyber resilience. According to research from 2018, a quarter of councils are estimated to have been victims of breaches.
Beyond the immediate chaos that cyber attacks cause to service provision, there is the less visible, but potentially more damaging, issue of data loss. Leaked personal information often includes names, addresses, National Insurance numbers and even details of social care or housing assistance. This data is highly valuable for criminals and hostile intelligence services.
Last year, Edinburgh backed out of a partnership with the Taiwanese city of Kaohsiung after the Scottish capital conceded that the initiative could threaten its relationship with China. A draft report from Edinburgh dated 27th June 2024, which your correspondent accessed via an FOI request, said that “the agreement is likely to increase the risk of a targeted cyber attack against the council”, the risk of which was already “very high”.
A report by the Royal United Services Institute thinktank published in March cites one Chinese academic who says that Chinese authorities seek to take advantage of the autonomy that local councils have in striking their own international relationships. Ken McCallum, the director general of MI5, the UK’s domestic intelligence service, has warned of a similar risk. In 2022, McCallum told security professionals that agents linked to China had been “cultivating” local political figures in the hope that some might become more established politicians over time.
Budgetary pressures and competing priorities leave many councils struggling to modernise outdated systems or recruit skilled cybersecurity professionals. The result is poor defences that leave councils and the residents they serve dangerously exposed. Local authorities are custodians of sensitive personal information and they play a critical role in supporting vulnerable people. Their ability to function securely is fundamental to the delivery of public services and national resilience. Yet the evidence suggests that they are under-resourced and increasingly under threat.
The likes of Russia and China could wreak serious havoc for millions of people through cyber attacks that target, for instance, the national grid. And criminals and hostile actors could also, at least in theory, prevent social care workers from accessing the files of millions of people who need daily care. Central government may be investing in cyber defence for national infrastructure, but local authorities remain a weak link. If hostile states and cybercriminals see local government as a soft touch, then policymakers will have to take the threat more seriously.
