cybersecurityGovernment · 2023

London Borough of Hackney

The London Borough of Hackney was fined for a October 2020 ransomware attack that compromised personal data of a large number of council residents and staff, including housing benefit records, social care information, and sensitive data such as racial and ethnic origin. The ICO found Hackney had failed to patch known software vulnerabilities, had inadequate security monitoring, and had insufficient network segmentation — all of which contributed to the successful attack. The council took over two years to fully restore its systems, significantly disrupting public services.

Fine Imposed€114,660.0

Authority

ICO-UK

Regulation

NIS Regulations 2018 (Network and Information Systems)

Max fineUp to £17M per violation; competent authorities include Ofcom, sector regulators, and NCSC

Statusactive

Key Takeaways

Public sector organisations carry identical UK GDPR security obligations to private companies — unpatched vulnerabilities and absent monitoring are not acceptable regardless of resource constraints, and the ICO will enforce against local authorities.