A council's failure to change an insecure password enabled a cyber-attack that leaked the personal details of hundreds of thousands of people.

Hackney Council has been reprimanded by the Information Commissioner’s Office (ICO) for “failing to implement measures” that could have prevented the attack in October 2020.

But the council insists the ICO "misunderstood the facts" about the attack, in which hackers got access to 440,000 files, affecting at least 280,000 residents and council staff.

The encrypted data included information that revealed residents' racial or ethnic origin, religious beliefs, sexual orientation, health, economic and criminal offence data, and names and addresses.

But Hackney insists the ICO "misapplied the law" and exaggerated the risk to residents’ data.

In an investigation, the ICO “found "examples of a lack of proper security and processes to protect personal data”.

It concluded that the council failed to change an insecure password on a dormant account still connected to council servers, which was exploited by the attackers, and failed to ensure a security patch management system was actively applied to all devices.

“This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents”, said Stephen Bonner, deputy commissioner at the ICO. “This is entirely unacceptable and should not have happened.”

“While nefarious actors may always exist, the council failed to effectively implement sufficient measures that could have better protected their systems and data from cyber-attacks,” he continued.

“Anyone responsible for protecting personal data should not make simple mistakes like having dormant accounts where the username and password are the same. Time and time again, we see breaches that would not have happened if such mistakes were avoided”.

Bonner did acknowledge that the council “took swift” action, and a “number of positive steps” have been taken since the attack.

A spokesperson for Hackney Council denied the ICO’s conclusion, saying: “we maintain that the council has not breached its security obligations”.

They said: “Since 2020, organisations of all sizes in the public and private sector have fallen victim to criminals deploying ever more complex and sophisticated modes of cyberattack.

“We consider that the ICO has misunderstood the facts and misapplied the law with respect to the issues in question and has mischaracterised and exaggerated the risk to residents’ data."

They continued: “It is not in our residents’ interests to use our limited resources to challenges the ICO’s decision” and will instead “continue to work closely with the National Cyber Security Centre, central Government and colleagues across local government and the wider public sector to play our part in defending public services against the ever-increasing threats of cyberattack."

In a separate statement, and on X, Hackney Mayor Caroline Woodley wrote: “We deeply regret the impact that this senseless criminal attack had on Hackney residents and businesses, and I am grateful to council staff who continued delivering for our communities despite the challenges, and to our residents for their patience while services were impacted."