‘Criminal organisation’ carries out a ransomware attack on a £600m company owned by Kent County Council

KCC logo and illustration of 'hacker'
Peadar O'Cearnaigh

On 22 May, local news site Shepwayvox reported that Kent Commercial Services (KCS) “suffered a ransomware attack and took down their website” on 2 April. Kent County Council (KCC) wholly owns KCS, which has an annual turnover of around £600m.

This means the personal information this company collects and is “committed to protecting” is now potentially at risk. The data of public sector bodies, businesses and individuals across England could be manipulated by ransomware attackers.

What’s missing?

Kent Commercial Services confirms data was stolen and leaked by the ransomware attackers. A spokesperson for Kent County Council told The Canary:

On the 2nd April 2020 Commercial Services (CSG) was subject to a ransomware attack which encrypted a significant number of its systems and data. This current and malicious ‘malware’ managed to avoid 3 levels of professional IT security. This sophisticated attack allowed the criminals to access CSG’s systems and encrypt a significant amount of data. The cause of the attack bears the hallmarks of starting with a phishing email that was used to introduce a virus that would compromise the network for further attack.

Subsequent to the attack, a ransom note was issued demanding payment of £800k in Bitcoins to release and repair the company’s systems. As no ransom was paid, in accordance with Government guidance, this was followed… by some stolen data being leaked by the criminal organisation that carried out the attack. The company is in ongoing discussions with the ICO, law enforcement authorities and all customers, suppliers and other stakeholders who may be affected by this data theft.

The spokesperson elaborated further, saying:

On Monday 27th April 2020, we were notified that a sample of the stolen data was published on the Dark Web. The published sample data was reviewed by our cyber experts and our data protection team and was found to contain business and corporate information relating to Kent Commercial Services business activities. We have taken necessary steps to mitigate any potential affects following the release of the sample data.

And:

Kent Commercial Services had in place multi-layered security protections, including; Firewalls, Web filtering, Sacrificial drives, 2 Stage email filtering, Sandboxing and quarantining, Internal vulnerabilities scanner and Endpoint Advance Threat Protection. This protection was routinely audited, subject to external testing and was deemed to be of a good, professional standard.

However, one Kent Commercial Services customer, who did not wish to be identified, contacted The Canary to say the company hadn’t contacted him. He has since followed the matter up by himself.

Describing the attackers, the Kent County Council spokesperson said:

They are a foreign criminal organisation that is well known to the law enforcement authorities.

We have no notification that any of our customers, suppliers or staff have been affected by this attack.

Customer data

In doing business with one of the trading arms of Kent Commercial Services, customers submit details such as bank account details, payment card details, credit rating details. They also submit other sensitive data such as sexual orientation, health and genetic data.

Additionally, Kent Commercial Services’ recruitment division may collect information such as age and date of birth, gender, photographs, passports, driving licences or ID cards, national insurance numbers or DBS checks. This data could now be in the hands of a “criminal organisation”.

Services

Kent County Council told The Canary the £600m Kent Commercial Services generates each year comes from two sources:

the revenue of Commercial services is circa £350m pa, we also act as an agent for customers to help them buy energy to the value of circa £250m pa.

And to buy this energy Kent Commercial Services uses the services of Laser Energy. This company manages “Kent County Council’s energy purchasing” and it claims “has grown to become one of the leading energy procurement and energy management service providers in the UK.” It works with public sector bodies such as “NHS Trusts, Universities & Colleges, Local Authorities and Housing Associations.”

Additionally, Kent County Council owns a company called Lumina which “forms part of Commercial Services Energy Division.” On Kent Commercial Services’ website it says: “Over the years, KCC [Kent County Council] has helped more than 150 local authorities manage their energy and currently procures around £400 million of gas and electricity each year.”

Kent Commercial Services also operates “across a wide range of maintenance, inspection/compliance, management and fulfilment activities”. It says its customer list includes “local authorities, businesses and schools to sports facilities and private gardens.”

The hackers could now hold this data along with bank account details, names, email addresses and passwords. Its recruitment company Connect2Staff “[deals] with permanent, temporary and contract vacancies throughout Kent and the South East.” It claims:

Our specialist recruitment consultants operate across all industries including: Health & Social Care, Education Executive & Management, Media & Marketing Construction, Technical & Engineering Support, Interpreters & Translation

The division supplies in excess of 600 temporary candidates per week and manages around 100 permanent candidates per week.

The recruitment privacy policy of Connect2Staff explains what data it holds and for how long. However, the Kent County Council spokesperson told The Canary:

As the systems and records were encrypted as part of the attack it is not possible to confirm what data was stolen. We do know it was less than 1% of the data volume, we also know the attack did not gain access to the HR and payroll systems.

Privacy policy

Kent Commercial Services says it takes “the protection of your personal information seriously and will treat it with care and take appropriate steps to protect it”. According to its retention policy it does “not retain your personal information for longer than is necessary”. However:

The length of time we retain your personal information for will be determined by the type of information we collect and the purpose that it has been processed for and/or our obligations under other laws.

This means some data will be retained for between two and seven years.

Damage caused by exposed data

Ransomware attacks can cost individuals and organisations millions to repair. A 2017-2018 report by the National Cyber Security Centre (NCSC) said:

We expect to see a continuation of cryptojacking and supply chain attacks, and an increasingly diverse range of ransomware variants.

On 8 February this year, Redcar and Cleveland Council suffered a similar attack. While the council didn’t make public the impact of that attack, one estimate said repairs could cost somewhere between £11m and £18m. In this attack on Kent Commercial Services, the perpetrators sent a ransom note for £800k in bitcoins.

The spokesperson from Kent County Council said:

Since the attack excellent progress with the recovery has been made with the majority of the key systems already back online during early/mid May. The remaining systems will be live within the coming weeks. Kent Commercial Services has been able to continue to provide its full range of services during this time.

However, this spokesperson was not in a position to discuss the cost of the attack:

Kent Commercial Services will not disclose confidential or commercial information relating to the cost of this incident.

Expert opinion

A senior cyber and technical engineer, who did not wish to be identified, spoke to The Canary. He said it “was very disappointing” that this could happen to a company of that size. From his expertise and experience in the industry, he felt it was obvious this company had “under invested in its IT infrastructure”. He also believes this attack “should never have happened”.

This expert says Kent Commercial Services should have installed the best firewall and security available to prevent such an attack. He believes some organisations interpret government advice on protecting your organisation through schemes like “cyber essentials” as “the benchmark”. However, this scheme provides the minimum amount of IT security protection. Instead, according to this source, companies should aim for better protection through standards like ISO/IEC 27000.

Ransomware

Ransomware is software used by cybercriminals to attack computers, or the information stored on them. That computer could become inaccessible and the information on it could be “stolen, deleted or encrypted”. The attackers ask the computer user to pay a ransom. But even then, it’s not certain the computer user will get access to their computer or information again. Kent County Council said “no ransom was paid”.

Attacks on councils

Research on similar attacks in the US against local councils showed a 60% rise in ransomware attacks in 2019 compared to 2018. It also showed the average ransom demand was for $1,032,460 (around £833,000).

And while attacks in the US were more common than in the UK, ComputerWeekly.com reported this may now be changing. The computer magazine previously reported in October 2019:

Local authorities and councils up and down the UK are being hit by an average of 800 cyber attacks every hour, with more than 263 million incidents noted in the first six months of 2019 alone

To reassure the public and businesses their data is safe, councils need to take extra precautions to ensure this. As soon as personal and business data becomes compromised, they must act quickly to inform those who could be affected by it. And as such attacks could be on the increase in the UK, this reassurance is more important now than ever before.

Featured image via YouTube – Kent County CouncilFlickr – MedithIT

We need your help ...

The coronavirus pandemic is changing our world, fast. And we will do all we can to keep bringing you news and analysis throughout. But we are worried about maintaining enough income to pay our staff and minimal overheads.

Now, more than ever, we need a vibrant, independent media that holds the government to account and calls it out when it puts vested economic interests above human lives. We need a media that shows solidarity with the people most affected by the crisis – and one that can help to build a world based on collaboration and compassion.

We have been fighting against an establishment that is trying to shut us down. And like most independent media, we don’t have the deep pockets of investors to call on to bail us out.

Can you help by chipping in a few pounds each month?

The Canary Support us
  • Show Comments
    1. It’s becoming increasingly common among organisations which have been subject to cyber attacks to claim that the attackers used “sophisticated” measures to gain entry.

      However, the published facts in this case, as in others, speak otherwise.

      Firstly, if KCS is holding credit/debit card information it is doing so in breach of the PCI-DSS standards and against the advice of the ICO.

      Secondly, any IT Security Department worth its salt would be fully aware of the potential impact of phishing scams and would identify this risk in its security plan and take counter-measures to ensure it was properly mitigated.

      These measures would include both software and hardware resources to counter the impact of ransomware as well as staff actions to minimise its spread – in the last instance pulling cables out of the back of boxes to take them off a network.

      This article indicates that there was no viable plan, that there had been underinvestment in security, and that a proper assessment of data assets had not taken place.

      I suspect that more than one member of the IT staff had long had concerns about vulnerability and those concerns were minimised by managers who underestimated risk and didn’t want to spend money to properly secure data.

      It is now common practice to encrypt data at rest in many business environments precisely because of the risk of theft, the days of not securing data in this way are rightly drawing to close.

      KCS will no doubt now be subject to the scrutiny of the ICO – failing to properly secure data assets could cost them 4% of their turnover – it would have been better to spend it on security.

    Leave a Reply

    Join the conversation

    Please read our comment moderation policy here.