Gloucester City Council, based in England’s West Midlands, faced a significant financial setback, spending more than £1.1 million to rectify the aftermath of a ransomware attack that struck in December 2021. This cyber incident not only inflicted financial strain but also led to a formal reprimand from the Information Commissioner’s Office (ICO). The ICO criticized the council for its cybersecurity vulnerabilities, particularly the absence of robust security systems and its inability to prevent the ransomware attackers from manipulating logs.
The ransomware assault, initiated through a spearphishing email, compelled the council to incur substantial expenses. These costs included hiring specialized security consultants, upgrading software, replacing crucial equipment, and transitioning all IT systems to cloud hosting. Despite having backup mechanisms in place, the council chose a complete system rebuild instead, which significantly prolonged the data recovery process. The ICO’s reprimand specifically pointed out various deficiencies, citing potential breaches of the General Data Protection Regulations (GDPR). These violations could attract severe penalties, amounting to as much as 4% of the council’s global turnover.
