Agenda item

To consider the report of the Cabinet Member for Performance and Resources seeking Members to note the impact of the cyber-attack on the Council, residents and customers, and the lessons learnt from the subsequent recovery.

68.1    Councillor Norman introduced the report and welcomed the Head of Transformation and Commissioning. She paid tribute to all Officers for their hard work and innovation during the cyber incident and subsequent recovery. In particular, she thanked the Managing Director and former Director of Finance and Resources for their leadership, as well as the Council’s IT team for their dedication in recovering the Council’s IT systems.

68.2    Councillor Hilton thanked the Head of Transformation and Commissioning for the report and Council staff for their work in dealing with the cyber incident. He noted that the latest figures confirmed a total recovery cost of £1.142m and observed that the costs had therefore exceeded £1m. He asked whether the recovery had improved systems, and whether all applications had been transferred to the Cloud. Councillor Norman stated that she had previous asserted that she was not willing to give assurances that the total recovery costs would not exceed £1m, and that the Council had received some grant funding towards the costs. She also noted that some of the recovery work was already part of the IT recovery plan and that it had front-ended some upcoming planned improvement work. The Head of Transformation and Commissioning further added that an advantage of the Cloud was that it increased resilience through a distributed structure. He added that the investment had provided the opportunity to reengineer systems from scratch.

68.3    Councillor Hilton asked whether the Council had made a mistake in not investing in its IT systems earlier, particularly following the cyber incident experienced by the Council back in 2014. Councillor Norman noted that the latest attack experienced by the Council was sophisticated, however the Council had invested in its IT systems and was already in a much stronger position than other authorities at the time of the 2021 cyber-attack. The Managing Director also advised that the Council had heavily invested since 2014 in improving its defences, upgrades, and improving awareness and business continuity plans. He stated that hostile agents were evolving threats and it was his view that the Council was not unprepared for the attack.

68.4    Councillor Wilson referred to the narrative in the report at 12.1 and the statement that the configuration of some systems had been customised by external consultants. He asked whether this had the potential to make the Council’s systems weaker if this happened in the future. The Managing Director noted that one positive arising following the incident was that the Council’s backups were still intact. However with the Uniform system used for planning applications, as all Councils’ systems were configured differently, this application had needed to be rebuilt from scratch before the backups could be loaded. He noted that this could be a lesson for all Councils to learn from.

68.5    In response to a query from Councillor A. Chambers regarding whether the Council ought to have adopted the same IT as Gloucestershire County Council, Councillor Norman explained that lengthy discussions had taken place at the time of the Gloucestershire Council’s ICT procurement, however the Council had decided that this was not the right approach for the City Council.

68.6    Councillor A. Chambers asked whether the Council would apologise to residents for the cyber-attack and data breach. Councillor Norman responded that the Council had already issued communications to residents regarding the cyber incident.

68.7    In response to a further query from Councillor A. Chambers as to whether residents ought to have been informed of the cyber-attack earlier, the Managing Director advised that the Council had immediately reported the incident to the relevant organisations and had worked with expert crime agencies to try and ascertain what data had been stolen. He noted that during the 18 months following the cyber incident, the Council had continued to provide services and that systems had now been repaired.

68.8    Councillor A. Chambers referred to the narrative at 18.2 report and asked whether there had been any claims from residents in respect of the data breach. Councillor Norman confirmed that the Council had received the lowest level of reprimand from the Information Commissioner’s Office and had fully complied with their recommendations. The Managing Director advised that he was not aware that the Council had accepted any claims from members of the public. He noted that he shared the anger of the public regarding the cyber-attack but the advice the Council had received was expert advice agencies did not believe any information taken had been published online, and that it was very unlikely that it would be in the future.

68.9    In response to a query from Councillor Dee regarding the action plan from the lessons learnt, the Head of Transformation and Commissioning confirmed that the Council had a new way of monitoring the action plan.

68.10  Councillor Wilson noted that residents had been informed of the breach more than a year later, and asked whether in hindsight the Council could have done a better job of keeping them informed. Councillor Norman confirmed that the Council had followed the expert guidance given at the time. The Managing Director reiterated that in the months that followed, efforts had been made to ascertain exactly what data had been taken so that individuals could be directly informed, however this had not proved possible. He noted that improved monitoring software had since been installed.

68.11  In response to further comments from Councillor Wilson as to whether consideration would be given to informing residents earlier in the process if a similar attack took place in the future, the Managing Director noted his point but reiterated that the Council had followed the advice from national advisory bodies advising against talking openly about the attack due to the potential to attract the interest of hostile organisations.

RESOLVED – That the Overview and Scrutiny Committee NOTE the report.