Cyber Incident Victim: Kent Commercial Services
Date:
Apr 2020
Location:
United Kingdom
Summary
A cyber attack on a Kent County Council-owned firm supplying protective equipment during the Covid-19 crisis began with a phishing email that introduced malware, compromising the network. Hackers encrypted systems and data, demanding an £800,000 Bitcoin ransom while leaking business-related information on the dark web. The company refused payment and restored most operations within over four weeks, with remaining systems expected shortly thereafter. Although no taxpayer data was breached, corporate information was exposed. The Information Commissioner’s Office provided guidance but deemed no further action necessary. The incident disrupted critical services amid the pandemic, highlighting operational vulnerabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 2, 2020, Kent Commercial Services (KCS), a firm owned by Kent County Council that supplies services including PPE to public authorities during the COVID-19 pandemic, suffered a cyberattack. The attackers encrypted the company's systems and data, rendering them inaccessible, and demanded an £800,000 Bitcoin ransom for decryption and restoration. Investigative reports indicated the attack likely originated from a phishing email containing malware that compromised KCS's network. The hackers subsequently leaked stolen corporate and business operation data related to KCS's commercial activities on the dark web after the ransom remained unpaid. KCS confirmed no personal taxpayer information was compromised in the breach. The company's chief executive characterized the timing as particularly malicious given the critical role KCS played in pandemic response efforts through PPE distribution.
KCS refused to pay the ransom and initiated recovery operations, restoring most systems within four weeks with enhanced security measures. Remaining systems were scheduled to become operational within the following two weeks. The Information Commissioner's Office (ICO) conducted an assessment, provided data protection guidance to KCS, and determined no regulatory action was warranted. The incident caused significant operational disruption during a period of heightened demand for KCS's services, though the firm maintained its independent operations throughout the recovery. The attackers' actions exclusively targeted business information, with no evidence of broader compromise beyond KCS's corporate data and systems.