Cyber Incident Victim: St Helens Borough Council

On or around Monday, August 21, 2023, St Helens Council was subjected to a significant cyber security incident, which was identified by the local authority on that same day. The council promptly confirmed the event in a public statement, characterizing it as a suspected Ransomware attack that had impacted its IT systems and networks. Upon discovering the breach, the council immediately alerted its external cyber security contractor to initiate a comprehensive investigation into the matter. This type of attack, Ransomware, involves malicious actors infiltrating an organization's digital infrastructure to encrypt files, thereby rendering them inaccessible to the legitimate users. The perpetrators then typically demand a financial ransom in exchange for the decryption key required to restore access to the locked systems and data. This form of cyber assault has been deployed in numerous high-profile cases globally, including a major incident affecting the United Kingdom's National Health Service (NHS) back in 2017, illustrating the severe disruption such attacks can cause to critical public services.

In response to the incident, St Helens Council acted swiftly to implement a series of security measures designed to maintain the safe operation of its IT networks amidst the ongoing threat. The council described the situation as both complex and evolving, indicating that the full scope and impact of the attack were still being assessed by their team and the engaged cyber security specialists. As a direct consequence of the protective actions taken to prevent any further intrusion or damage, some of the council's internal systems were affected. These necessary countermeasures, while crucial for containment and security, resulted in operational disruptions to various internal functions. Despite these internal challenges, the council emphasized its commitment to maintaining public services by continuing to provide access to them through its official website, ensuring that residents could still interact with and receive necessary services from the local authority online.

The council also took proactive steps to communicate with the public about the incident and the potential risks associated with it. A primary concern raised was the heightened threat of online scams, particularly phishing attempts that might exploit the situation. Residents were urged to be exceptionally vigilant and mindful of their online safety. The council warned that malicious actors often use such periods of disruption and public concern to launch secondary attacks via deceptive communications. Specifically, the public was advised to watch for fraudulent emails that might appear to originate from legitimate institutions like banks, falsely notifying recipients of a new direct debit setup. These emails are crafted to look authentic and commonly contain links that, if clicked, direct individuals to counterfeit websites designed to harvest sensitive personal and financial information, such as bank account details, login credentials, and contact information.

To combat this increased risk, St Helens Council provided clear guidance to its residents, advising them to always treat unsolicited calls, texts, or emails requesting personal or financial data with extreme skepticism. Instead of engaging with these potentially fraudulent messages, the council recommended that individuals contact the company or organization in question directly using a verified and known email address or phone number, obtained independently from the entity's official website or correspondence. The council directed residents to its online resources for more information on recognizing and avoiding scams, specifically highlighting the webpage www.sthelens.gov.uk/watchoutforscams as a source of helpful tips for those who suspect they may have been contacted by a scammer. This public advisory was part of a broader effort to safeguard the community from further harm during the IT incident.

Throughout the ongoing investigation and response efforts, St Helens Council and its cyber security partners worked diligently to resolve the incident. The council's public statements sought to reassure residents that every possible effort was being made to address the breach and restore full functionality to its systems. However, the inherent complexity of a Ransomware attack means that resolution processes can be protracted, involving detailed forensic analysis to understand the attack vector, the extent of data compromise, and the necessary steps for recovery and future prevention. The council acknowledged this complexity, noting that the situation was continuously evolving as new information was uncovered by the investigation. The primary focus remained on securing systems, protecting resident data, and ensuring the continuity of essential services provided by the St Helens Borough Council.