Incident: Ransomware Cyber-Attack on Redcar and Cleveland Council IT Systems

Published Date: 2020-02-27

Postmortem Analysis
Timeline 1. The software failure incident, a ransomware cyber-attack on Redcar and Cleveland council, happened on 8 February [96689].
System 1. IT servers 2. Council computers, tablets, and mobile devices 3. Council website 4. Call center 5. Planning application system 6. Server and website [96689]
Responsible Organization 1. The software failure incident was caused by a ransomware cyber-attack on Redcar and Cleveland council's IT servers [96689].
Impacted Organization 1. Redcar and Cleveland council [96689]
Software Causes 1. Ransomware cyber-attack on the council's IT servers [96689]
Non-software Causes 1. Lack of cybersecurity measures to prevent ransomware attacks [96689] 2. Reduction in funding and austerity measures leading to budget constraints and staff cuts [96689]
Impacts 1. The software failure incident, a ransomware cyber-attack on Redcar and Cleveland council, disabled its IT servers for three weeks, leading to a steep bill estimated between £11m and £18m for repairs, far exceeding the council's funding grant from the central government [96689]. 2. Council staff were unable to use council computers, tablets, or mobile devices during the incident and had to resort to using "pen and paper" for work [96689]. 3. The incident caused disruptions in council services, with the council website not functioning properly, a temporary call center being mobilized, and events being cancelled due to IT problems [96689]. 4. Residents faced difficulties in accessing services and information, with complaints of being cut off when contacting the council and uncertainty regarding the status of planning applications and objections due to the cyber-attack [96689]. 5. The incident raised concerns among residents about the stability of the local government infrastructure, with fears of a collapse in services and operations [96689].
Preventions 1. Implementing robust cybersecurity measures such as regular security audits, penetration testing, and employee training to prevent cyber-attacks like ransomware [96689]. 2. Maintaining up-to-date software and security patches to address known vulnerabilities that could be exploited by attackers [96689]. 3. Creating and regularly testing a comprehensive disaster recovery plan to ensure quick restoration of IT systems in case of an incident like a cyber-attack [96689].
Fixes 1. Enhancing cybersecurity measures to prevent future cyber-attacks like ransomware incidents [96689]. 2. Investing in IT infrastructure upgrades and backups to ensure quick recovery in case of system failures [96689]. 3. Conducting regular cybersecurity training for staff to increase awareness and prevent phishing attacks or other vulnerabilities [96689].
References 1. Redcar and Cleveland council spokesperson 2. Redcar and Cleveland councillor 3. National Crime Agency 4. National Cyber Security Centre 5. Cleveland police 6. Council leader, Mary Lanigan 7. Local resident, Peter Finlinson 8. Council's Facebook site 9. Council's auditor 10. National Audit Office [96689]

Software Taxonomy of Faults

Category Option Rationale
Recurring unknown (a) The software failure incident at Redcar and Cleveland council involving a ransomware cyber-attack is a unique incident specific to this organization. There is no mention in the article of a similar incident happening before within the same organization. (b) There is no information in the articles to suggest that a similar incident has happened before at other organizations or with their products and services. The focus of the article is primarily on the specific cyber-attack incident at Redcar and Cleveland council.
Phase (Design/Operation) design (a) The software failure incident in the Redcar and Cleveland council was due to a cyber-attack involving ransomware, which disabled the council's IT servers for three weeks. The incident was acknowledged as a "ransomware cyber-attack" by the council leader, Mary Lanigan [96689]. (b) The operation of the council was severely impacted by the software failure incident, as all council staff were unable to use council computers, tablets, or mobile devices for three weeks. They had to resort to using "pen and paper" instead of digital systems [96689].
Boundary (Internal/External) within_system (a) within_system: The software failure incident, in this case, the cyber-attack with ransomware, originated from within the council's IT system. The incident disabled the council's IT servers, leading to a situation where council staff were unable to use council computers, tablets, or mobile devices for three weeks [96689]. (b) outside_system: The cyber-attack on the council's IT system was caused by external factors, specifically a ransomware attack. The attack was not an internal system fault but rather a deliberate external intrusion that encrypted the council's files, leading to the disruption of IT services [96689].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case was due to a cyber-attack, specifically a ransomware attack on Redcar and Cleveland council's IT servers. The attack disabled the council's IT systems for three weeks, leading to a significant disruption in their operations. The incident was described as a "ransomware cyber-attack" by the council leader, Mary Lanigan [96689]. (b) Human actions also played a role in this software failure incident. The decision to scrap the chief executive role and redistribute duties among other council managers could have potentially impacted the council's IT infrastructure and overall operations. Additionally, concerns were raised about the lack of professionalism and potential mismanagement within the council, which could have contributed to the vulnerability of their IT systems [96689].
Dimension (Hardware/Software) software (a) The software failure incident in the Redcar and Cleveland council was due to a cyber-attack, specifically a ransomware attack that disabled its IT servers for three weeks [96689]. This cyber-attack originated externally and was not a result of hardware failure. (b) The software failure incident was caused by a ransomware cyber-attack, indicating that the contributing factors originated in the software system's vulnerability to such attacks [96689].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case was malicious. The council in the north-east of England suffered a ransomware cyber-attack, where files were maliciously encrypted, and the council was forced to pay a ransom to unlock the files [96689]. The incident was described as a "ransomware cyber-attack" by the council leader, acknowledging the malicious nature of the attack. The National Crime Agency was leading a criminal investigation into the cyber incident, indicating the seriousness of the attack and the intentional harm caused to the council's IT systems [96689]. Residents also expressed concerns about the security of their personal information on the compromised server, highlighting the malicious intent behind the attack [96689]. (b) The software failure incident was not non-malicious. There is no indication in the article that the failure was due to unintentional factors or errors. The incident was clearly attributed to a ransomware cyber-attack, indicating a deliberate and malicious act aimed at disrupting the council's IT infrastructure [96689].
Intent (Poor/Accidental Decisions) poor_decisions The software failure incident reported in Article 96689 was primarily due to poor decisions made by the council. The incident was a result of a ransomware cyber-attack that disabled the council's IT servers for three weeks. The council had to rely on pen and paper as all staff were unable to use council computers, tablets, or mobile devices. The council initially downplayed the issue, stating it was just an "issue with our IT system," but later admitted to being hit by a ransomware attack. The council's decision to scrap the chief executive role and redistribute duties among other managers was also criticized as a poor decision, leading to a lack of professionalism and concerns about the council's functionality [96689].
Capability (Incompetence/Accidental) accidental (a) The software failure incident in this case does not seem to be directly related to development incompetence. The incident was primarily caused by a ransomware cyber-attack on the council's IT systems, leading to the disabling of IT servers and the encryption of files [96689]. (b) The software failure incident can be attributed to accidental factors, as it was a result of a ransomware cyber-attack on the council's IT systems. The attack was not caused by internal development incompetence but rather by external malicious actors exploiting vulnerabilities in the system [96689].
Duration temporary (a) The software failure incident in this case is temporary. The council in Redcar and Cleveland suffered a cyber-attack that disabled its IT servers for three weeks, leading to staff being unable to use council computers, tablets, or mobile devices during this period [96689]. The incident was specifically identified as a "ransomware cyber-attack" on February 8th, indicating a deliberate attack on the system [96689]. The council had to resort to using "pen and paper" as an alternative means of operation while the IT systems were down [96689]. Additionally, the council mentioned that it may take some time before their IT capabilities are fully restored, causing frustration for the public in dealing with administrative tasks [96689]. (b) The software failure incident is not permanent as efforts are being made to restore the IT capabilities fully. The council has already built a new server and website, mobilized a temporary call center, and is working towards restoring its IT capabilities [96689]. Residents have complained about the council website not functioning properly and being cut off when trying to contact the local authority, indicating ongoing issues that are being addressed [96689].
Behaviour crash, omission, value, other (a) crash: The software failure incident in this case can be categorized as a crash as the council's IT servers were disabled for three weeks, leaving council staff unable to use council computers, tablets, or mobile devices, and instead relying on "pen and paper" [96689]. (b) omission: The software failure incident can also be categorized as an omission as residents complained about the council website not functioning properly, being cut off repeatedly when calling the local authority, and events being cancelled due to IT problems [96689]. (c) timing: There is no specific information in the article indicating that the software failure incident was related to timing issues. (d) value: The software failure incident can be categorized as a value failure as the council was subject to a ransomware cyber-attack, which encrypted files and forced the council to potentially pay a ransom to unlock the files [96689]. (e) byzantine: There is no specific information in the article indicating that the software failure incident was related to byzantine behavior. (f) other: The software failure incident can be categorized as other behavior due to the overall impact on the council's operations, including the inability to access planning applications, objections potentially being lost, and the disruption of services and communication channels [96689].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, delay, non-human, theoretical_consequence (a) unknown (b) unknown (c) unknown (d) Property: The software failure incident resulted in the council's IT servers being disabled for three weeks, leading to concerns among residents about the local government infrastructure being "in danger of collapse" [96689]. (e) Delay: Events several weeks away were cancelled due to the IT problems caused by the software failure incident [96689]. (f) Non-human: The software failure incident impacted the council's IT systems, resulting in the council staff being unable to use council computers, tablets, or mobile devices and instead relying on "pen and paper" [96689]. (g) unknown (h) Theoretical_consequence: The council's auditor warned that Redcar and Cleveland local authority could go bust within two years unless its spending is slashed or central government plugs the gap, indicating a potential consequence of financial collapse due to the ongoing challenges faced by the council, including the software failure incident [96689]. (i) unknown
Domain government (a) The failed system was intended to support the government industry. The software failure incident occurred at Redcar and Cleveland council, a local government authority in the north-east of England [96689]. The incident involved a ransomware cyber-attack that disabled the council's IT servers, leading to significant disruptions in their operations, including the inability of council staff to use computers, tablets, or mobile devices for three weeks. The attack impacted various services and activities of the council, such as accessing planning applications, scheduling meetings, and handling administrative tasks, indicating the critical role of the software systems in supporting government functions. The incident also raised concerns about the potential collapse of the local government infrastructure due to the cyber-attack and highlighted the importance of maintaining IT capabilities for effective governance and service delivery.

Sources

Back to List