Skórzewiak - stock.adobe.com

Neighbouring Kent councils hit by simultaneous cyber attacks

Canterbury, Dover and Thanet Councils in Kent have all been struck by simultaneous cyber attacks knocking systems offline, with indications of a link between all three

Three local authorities in Kent – Canterbury City Council, Dover District Council and Thanet District Council – have fallen victim to near-simultaneous and potentially linked cyber attacks, knocking multiple public-facing systems across Kent offline.

All three authorities are understood to be working alongside the National Cyber Security Centre (NCSC) on incident response and remediation.

In the case of Canterbury, Computer Weekly understands services including its planning department, online forms and maps have been taken offline, while Dover residents have lost access to online forms, and Thanet also appears to have lost its planning department and online forms.

In a coordinated statement, Canterbury and Dover’s councils said: “Our teams are taking a precautionary approach while we work hard to investigate the problem and to minimise any disruption to our services.

“Our email system and website have been available throughout, although some parts of the website may not quite work as intended. We are sorry for any inconvenience people may have experienced over the past few days, and will provide updates as and when we have them.”

A spokesperson for Thanet Council told reporters it had proactively limited access to its online systems following reports of an incident.

The precise nature of the attacks remains undisclosed, although they do bear some hallmarks of a ransomware incident. In this instance, the facts of the three victims’ proximity to one another, and the similar nature of the services impacted, indicate the attacks may share a common thread.

Read more on public sector security

Stephen Robinson, senior threat intelligence analyst at WithSecure, said the three councils share a number of systems as part of the East Kent Services [EKS] shared services vehicle, and suggested it was likely that this was where the incident originated, which gives an indication of what services may have been affected and what data may have been accessed.

“Service providers ... are regularly targeted to enable what is known as a supply chain attack, where compromising a single service provider allows an attacker to compromise all of their customers at the same time, for a far more devastating and impactful attack,” said Robinson.

Canterbury, Dover and Thanet first came together to set up EKS in 2011, and entered into entered into a partner relationship with to Civica in 2018 in a seven-year deal to run revenues, benefits, revenues, customer contact and debt recovery services that aimed to realise over £5m in savings, and saw over 200 employees from all three affected councils transfer to a central hub. This contract, which is not being extended beyond January 2025, does not cover any IT services, and a Civica spokesperson confirmed to Computer Weekly via email that the incident was not caused by any of the contractor's systems.

‘Ideal’ victims

Robinson said that given they hold sensitive data on local residents and provide time-critical services, local authorities in general make “ideal” victims for cyber criminals.

“Local councils not only perfectly fit this template, [but] they’ve also been operating under financial constraints which may have impacted their ability to keep their networks and digital services secure,” said Robinson. “Multiple local councils in the UK and abroad have been victims of cyber attacks in recent years, with no sign that such activity is slowing.”

Other recent cyber incidents to befall UK councils have included Comhairle nan Eilean Siar in Scotland and St Helens in Merseyside.

In a report published shortly before Christmas 2023, the parliamentary Joint Committee on the National Security Strategy warned of a lack of ransomware planning and preparedness pervading UK government at the highest levels, and said public services across the UK were essentially being held “hostage of fortune”.

The report made uncomfortable reading for local authorities, where the committee reported that many are still far too reliant on legacy IT systems that are neither secured nor updated.

This article was updated at 14:45 on Friday 19 January to incorporate a statement from Civica, and further updated at 16:50 on Thursday 7 February to additionally clarify that Civica's IT systems were not compromised.

Read more on Data breach incident management and recovery