UK councils and hospitals at risk of cyber hackers, ITV News reveals

An ITV News investigation has found hundreds of potential vulnerabilities on public service websites. Sam Holder reports.

An ITV News investigation into cyber security at public services has revealed an enormous disparity in defence budgets, hundreds of potential website vulnerabilities and the email addresses and passwords of staff at one council posted in full online.

These services are crucial for the smooth running of day-to-day life in Britain and hold swathes of your sensitive data.

Exclusive figures show that one council in Britain is spending just £32,000 a year on cyber security.

In comparison, another council - with a smaller population - has an annual budget of £1,000,000, a difference of more than 30 times.

One hospital sets aside just £10,000 a year towards cyber security.

The names of the public institutions involved are being withheld, to avoid turning them into targets.

'If I was a criminal, this is a gold mine of information'

Ethical hacker, known as 'FC', shows ITV News the vulnerabilities found on council websites, revealing sensitive email addresses and passwords

Cyber attacks on councils, government departments and hospitals have caused real-life problems for tens of thousands of people. ITV News has found evidence of examples including:

  • Residents forced to leave their homes

  • Hospital operations cancelled

  • Incorrect benefit payments

  • Overcharged tax bills 

  • House sales falling through

  • Repairs to council houses not being carried out

  • Inability to apply for council housing 

  • Sensitive data leaked online

The former head of the National Cyber Security Centre, Ciaran Martin, says public services are facing “really serious problems that need national level policy attention”.

A devastating cyber attack against Hackney council in October 2020, destroyed the systems used for council tax and benefit payments, property sales, planning applications and children’s services (meant to protect vulnerable young people), as well as the systems used by many other departments. Some services still haven’t returned to normal almost two years later.

'The people that have been impacted - I can only apologise for that and say that we've worked tirelessly to recover our systems, put that right, and ensure it can't happen again' - Mayor of Hackney Philip Glanville

The hack led to one family of seven being kicked out of their home after the council was unable to update their housing benefits.

Leon (not his real name) says he tried to contact Hackney for 18 months to ask for his payments to be increased in line with the annual rise in rent, but claims his phone calls and emails went unanswered. His landlord forced him to leave because he couldn’t meet the shortfall.

The family found a new home but risk being asked to leave again because Leon’s benefit payments still haven’t been adjusted. The Mayor of Hackney has apologised and asked Leon to try to speak to a housing officer.

Ciaran Martin, former head of the National Cyber Security Centre, believes that around three-quarters of cyber crime comes from within Russia and that it is “tolerated by the Russian government”. Attacks against public services in the UK have also been blamed on hackers from North Korea and criminal gangs.

One of the most common forms of attack is ransomware, a type of software which demands payment - usually in bitcoin - or deletes the systems it has infected. UK policy is for public services not to pay the ransom.

Redcar suffered such extensive damage during a ransomware attack that the council was forced back into using pen and paper. Museums and hospitals have also reported near constant attempts to infect their servers. The destruction caused by the attack on Hackney cost upwards of £10 million.

A number of experts have expressed concern to ITV News about a lack of clarity and standards for public services to follow when it comes to cyber security. Councils in particular are already under immense financial pressure and often use outdated IT systems which aren’t guaranteed as secure anymore by the companies that made them.

'One of the key ways that we can see organisations step up is if we all demand more security of them' - Cyber security expert, Dr Jessica Barker

While council cyber security budgets can only tell us so much - money could be spent ineffectively and the type of training and culture amongst staff at public institutions is key - they do highlight the lack of consistency when it comes to defending against threats.

In response to the ITV News investigation, the government said that “councils are responsible for their own networks and systems, and it is up to each council to ensure appropriate security measures, governance and training are in place”.

The government has announced a new cyber security strategy which aims to improve resilience across the public sector by 2030 and says it is providing £37.8 million of funding to tackle cyber challenges facing local councils.