Cyber Incident Victim: Tiverton Town Council
Date:
Feb 2017
Location:
United Kingdom
Summary
A town council in Devon experienced a significant ransomware attack after an employee mistakenly opened a malicious email disguised as a parcel delivery notification, triggering immediate system encryption. The incident resulted in the loss of all documents dating back over a year, excluding finance and planning records stored separately. Operational recovery required months of rescanning correspondence, prompting security reviews. Law enforcement provided mitigation guidance and alerted neighboring councils about the threat. The attacker demanded payment for decryption, but the council declined due to uncertainty of data restoration. This caused substantial disruption to administrative functions and heightened staff caution regarding email communications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 3, 2017, Tiverton Town Council in Devon experienced a significant data loss incident triggered by a ransomware attack. Town Clerk John Vanderwolfe inadvertently opened a malicious email disguised as a communication from a parcel delivery firm, which immediately compromised the council's systems. He reported unusual physical symptoms, including the affected computer "actually starting to shake," followed by rapid encryption of all accessible council data. The ransomware demanded payment for decryption, though Vanderwolfe noted there was no guarantee data would be restored even if paid. This attack resulted in the permanent loss of all council documents created between 2015 and the incident date, excepting finance and planning records stored on a separate system. The encryption affected all council computers, indicating widespread system compromise. Vanderwolfe, who had served for 12 years, described this as the most severe incident during his tenure, attributing the mistake to the volume of daily emails and subtle warning signs that went unheeded in routine operations.
The attack primarily destroyed correspondence archives, requiring months of rescanning and re-uploading efforts to reconstruct records. Immediate technical containment involved isolating infected systems, though the article does not specify whether decryption was attempted. Devon and Cornwall Police provided post-incident security guidance to the council while initiating broader threat notifications to neighboring local authorities to bolster regional cybersecurity preparedness. Internally, the council initiated reviews of its computer security protocols, though specific measures adopted remain unspecified. The incident profoundly impacted operational workflows and personnel confidence, with Vanderwolfe expressing persistent reluctance to open email attachments due to lingering apprehension. No data recovery outcomes or financial demands were disclosed, leaving the encrypted data irrecoverable through means described in the public report.