The Case Of Leicester City Council Cyber Breach: An Analysis Of Errors Public Bodies Could Be Making

A compliance expert warns that other public bodies are at risk of similar attacks. The CEO of compliance training company Skillcast, Vivek Dodd, highlights the potential gaps in the security measures for other potential targets.

The recent incident Leicester City Council server breach exposed some confidential documents online, including rent statements and passport information.

INC Ransom, a ransomware gang, claimed responsibility while echoing their recent attack on NHS Dumfries and Galloway.

The Strategic Director of Leicester City Council, Richard Sword, strongly condemned the breach while emphasising its grave implications. Given the UK Government’s firm stance against engaging with ransomware actors, it’s unlikely that the INC Ransom is looking to gain financially from these attacks.

How can other public bodies be alerted?

Compliance expert and CEO of compliance training company Skillcast, Vivek Dodd warns, “The landscape of ransomware attacks is evolving. With financial gains becoming harder to secure, perpetrators may resort to tactics designed to inflict widespread disruption as a means of exerting power.”

He emphasises the gravity of this shift: “Other public bodies are at risk of similar attacks which raises the concern of widespread digital disruption.”

While ensuring that staff receive training on fundamental aspects such as avoiding weak passwords or clicking on suspicious links, Skillcast highlights some of the less obvious errors that can have far-reaching consequences to help councils prepare:

1. Granting Excessive Access Permissions – Allowing users unrestricted access to resources beyond what is necessary for their role can increase the likelihood of insider threats and exacerbate the impact of a security breach.

2. Neglecting Network Segmentation – Failing to divide the network into smaller, isolated segments with separate access controls leaves it vulnerable to the rapid spread of malware or unauthorised access, amplifying damage to the council’s systems and data in the event of a breach.

3. Neglecting Incident Response Preparedness – Failing to develop comprehensive incident response protocols tailored to specific cyber threats and scenarios hampers the council’s ability to respond swiftly and effectively to security incidents, prolonging downtime and exacerbating the impact on operations.

4. Skipping Red Team Exercises – Neglecting to conduct regular simulated cyber attack scenarios, known as red team exercises, deprives councils of the opportunity to identify weaknesses in their cybersecurity posture and improve incident response capabilities through real-world simulations.

5. Disregarding a Zero Trust Architecture – Failing to adopt a zero-trust approach to security, where continuous authentication and authorisation are required for all network resources, exposes councils to heightened risks of insider threats and unauthorised access, compromising the integrity of their systems and data.

Skillcast advises that residents concerned about potential data breaches following the recent cyber incident should remain vigilant and monitor their financial accounts for any suspicious activity, including unsolicited communication. Additionally, refrain from providing personal or financial details unless certain of the legitimacy of the request.

Vivek states: “While the council is in the process of contacting affected individuals, residents are encouraged to proactively update their passwords and be cautious of phishing attempts. It’s also essential to stay informed through official channels and seek support if you’re feeling overwhelmed.”

Skillcast: The compliance training company

The Skillcast Group sets up compliance portals to help companies educate their staff and record, analyse, and evidence staff activities to cope with their regulatory and ESG (environmental, social and governance) obligations. Its technology application provides e-learning management, in-person training management, CPD (continuing professional development), policy attestation, staff declarations, anonymised surveys, gifts and hospitality registers, PA dealing registers, whistleblowing registers, and compliance breach registers. It also provides a comprehensive set of tools for managing the approval/certification of Senior Managers and Certified Persons under the SM&CR for financial services firms.

The Group also provides several libraries of off-the-shelf compliance e-learning courses and develops bespoke e-learning content for blue-chip companies in the UK and across Europe. It has pioneered the Intelligent Learning approach, leveraging user interactions and gamification to drive employee engagement and compliance effectiveness.