Revolutionise resident services with AWS: London Borough of Lambeth

Managing a cyber-attack − St Helens Borough Council

In August 2023, St Helens Borough Council experienced a cyber security incident that impacted its ICT systems and operational activities. The attack was a Malware as a Service (MaaS) incident, where an unknown actor gained access to the council’s system and exfiltrated 29 gigabytes of data.

Challenges

  • Initial systems shutdown until compromised areas could be identified and contained.
  • Service disruption: Staff couldn’t access line of business apps, and the public couldn’t make payments or bookings online.
  • Data exfiltration: A large amount of data was uploaded to a cloud storage provider in New Zealand.
  • Finance function impact: The finance department was significantly affected due to its reliance on on-premise servers.

Approach

  • The council immediately invoked its Emergency Response Plan and brought in a cyber incident response team (CIRT).
  • Compromised accounts were disabled, IP addresses blocked, and domain access passwords reset.
  • Staff were notified via email, and a statement was published on the council website.
  • The CIRT cleansed all servers accessed by the actor.
  • The council reset all staff passwords, introduced multi-factor authentication (MFA), and replaced its antivirus with an Endpoint Detection and Response (EDR) solution.

Outcomes and benefits

  • Quick recovery: The council moved back to a business-as-usual position by November 1, 2023, just 10 weeks after the incident.
  • Minimal impact: The overall impact on the council, staff, partners, and residents was minimized due to quick action and workarounds Enhanced security: The incident led to improved security measures, including MFA and EDR implementation.

Lessons learnt

  • SIEM importance: Having a Security Information and Event Management (SIEM) solution in place could have prevented the attack by providing real-time warnings.
  • MFA necessity: Multi-factor authentication on all devices could have prevented the actor from gaining access.
  • Business continuity planning: Plans need to cover the possibility of prolonged ICT system disruption.
  • Cloud migration benefits: The council’s prior migration of 60% of its systems to the cloud helped minimize the attack’s impact.
  • Regular audits and certifications: The council’s ISO/IEC 20000 and ISO27001 certifications contributed to its preparedness.
  • Experience matters: Previous experiences with emergencies increased the council’s readiness to deal with the cyber incident.

View original case study article at local.gov.uk [PDF]