On 22 May, local news site Shepwayvox reported that Kent Commercial Services (KCS) “suffered a ransomware attack and took down their website” on 2 April. Kent County Council (KCC) wholly owns KCS, which has an annual turnover of around £600m.
This means the personal information this company collects and is “committed to protecting” is now potentially at risk. The data of public sector bodies, businesses and individuals across England could be manipulated by ransomware attackers.
Kent Commercial Services confirms data was stolen and leaked by the ransomware attackers. A spokesperson for Kent County Council told The Canary:
On the 2nd April 2020 Commercial Services (CSG) was subject to a ransomware attack which encrypted a significant number of its systems and data. This current and malicious ‘malware’ managed to avoid 3 levels of professional IT security. This sophisticated attack allowed the criminals to access CSG’s systems and encrypt a significant amount of data. The cause of the attack bears the hallmarks of starting with a phishing email that was used to introduce a virus that would compromise the network for further attack.
Subsequent to the attack, a ransom note was issued demanding payment of £800k in Bitcoins to release and repair the company’s systems. As no ransom was paid, in accordance with Government guidance, this was followed… by some stolen data being leaked by the criminal organisation that carried out the attack. The company is in ongoing discussions with the ICO, law enforcement authorities and all customers, suppliers and other stakeholders who may be affected by this data theft.
The spokesperson elaborated further, saying:
On Monday 27th April 2020, we were notified that a sample of the stolen data was published on the Dark Web. The published sample data was reviewed by our cyber experts and our data protection team and was found to contain business and corporate information relating to Kent Commercial Services business activities. We have taken necessary steps to mitigate any potential affects following the release of the sample data.
Kent Commercial Services had in place multi-layered security protections, including; Firewalls, Web filtering, Sacrificial drives, 2 Stage email filtering, Sandboxing and quarantining, Internal vulnerabilities scanner and Endpoint Advance Threat Protection. This protection was routinely audited, subject to external testing and was deemed to be of a good, professional standard.
However, one Kent Commercial Services customer, who did not wish to be identified, contacted The Canary to say the company hadn’t contacted him. He has since followed the matter up by himself.
Describing the attackers, the Kent County Council spokesperson said:
They are a foreign criminal organisation that is well known to the law enforcement authorities.
We have no notification that any of our customers, suppliers or staff have been affected by this attack.
In doing business with one of the trading arms of Kent Commercial Services, customers submit details such as bank account details, payment card details, credit rating details. They also submit other sensitive data such as sexual orientation, health and genetic data.
Additionally, Kent Commercial Services’ recruitment division may collect information such as age and date of birth, gender, photographs, passports, driving licences or ID cards, national insurance numbers or DBS checks. This data could now be in the hands of a “criminal organisation”.
Kent County Council told The Canary the £600m Kent Commercial Services generates each year comes from two sources:
the revenue of Commercial services is circa £350m pa, we also act as an agent for customers to help them buy energy to the value of circa £250m pa.
And to buy this energy Kent Commercial Services uses the services of Laser Energy. This company manages “Kent County Council’s energy purchasing” and it claims “has grown to become one of the leading energy procurement and energy management service providers in the UK.” It works with public sector bodies such as “NHS Trusts, Universities & Colleges, Local Authorities and Housing Associations.”
Additionally, Kent County Council owns a company called Lumina which “forms part of Commercial Services Energy Division.” On Kent Commercial Services’ website it says: “Over the years, KCC [Kent County Council] has helped more than 150 local authorities manage their energy and currently procures around £400 million of gas and electricity each year.”
Kent Commercial Services also operates “across a wide range of maintenance, inspection/compliance, management and fulfilment activities”. It says its customer list includes “local authorities, businesses and schools to sports facilities and private gardens.”
The hackers could now hold this data along with bank account details, names, email addresses and passwords. Its recruitment company Connect2Staff “[deals] with permanent, temporary and contract vacancies throughout Kent and the South East.” It claims:
Our specialist recruitment consultants operate across all industries including: Health & Social Care, Education Executive & Management, Media & Marketing Construction, Technical & Engineering Support, Interpreters & Translation
The division supplies in excess of 600 temporary candidates per week and manages around 100 permanent candidates per week.
As the systems and records were encrypted as part of the attack it is not possible to confirm what data was stolen. We do know it was less than 1% of the data volume, we also know the attack did not gain access to the HR and payroll systems.
Kent Commercial Services says it takes “the protection of your personal information seriously and will treat it with care and take appropriate steps to protect it”. According to its retention policy it does “not retain your personal information for longer than is necessary”. However:
The length of time we retain your personal information for will be determined by the type of information we collect and the purpose that it has been processed for and/or our obligations under other laws.
This means some data will be retained for between two and seven years.
Damage caused by exposed data
We expect to see a continuation of cryptojacking and supply chain attacks, and an increasingly diverse range of ransomware variants.
On 8 February this year, Redcar and Cleveland Council suffered a similar attack. While the council didn’t make public the impact of that attack, one estimate said repairs could cost somewhere between £11m and £18m. In this attack on Kent Commercial Services, the perpetrators sent a ransom note for £800k in bitcoins.
The spokesperson from Kent County Council said:
Since the attack excellent progress with the recovery has been made with the majority of the key systems already back online during early/mid May. The remaining systems will be live within the coming weeks. Kent Commercial Services has been able to continue to provide its full range of services during this time.
However, this spokesperson was not in a position to discuss the cost of the attack:
Kent Commercial Services will not disclose confidential or commercial information relating to the cost of this incident.
A senior cyber and technical engineer, who did not wish to be identified, spoke to The Canary. He said it “was very disappointing” that this could happen to a company of that size. From his expertise and experience in the industry, he felt it was obvious this company had “under invested in its IT infrastructure”. He also believes this attack “should never have happened”.
This expert says Kent Commercial Services should have installed the best firewall and security available to prevent such an attack. He believes some organisations interpret government advice on protecting your organisation through schemes like “cyber essentials” as “the benchmark”. However, this scheme provides the minimum amount of IT security protection. Instead, according to this source, companies should aim for better protection through standards like ISO/IEC 27000.
Ransomware is software used by cybercriminals to attack computers, or the information stored on them. That computer could become inaccessible and the information on it could be “stolen, deleted or encrypted”. The attackers ask the computer user to pay a ransom. But even then, it’s not certain the computer user will get access to their computer or information again. Kent County Council said “no ransom was paid”.
Attacks on councils
Research on similar attacks in the US against local councils showed a 60% rise in ransomware attacks in 2019 compared to 2018. It also showed the average ransom demand was for $1,032,460 (around £833,000).
Local authorities and councils up and down the UK are being hit by an average of 800 cyber attacks every hour, with more than 263 million incidents noted in the first six months of 2019 alone
To reassure the public and businesses their data is safe, councils need to take extra precautions to ensure this. As soon as personal and business data becomes compromised, they must act quickly to inform those who could be affected by it. And as such attacks could be on the increase in the UK, this reassurance is more important now than ever before.
Fund our Investigations Unit
You can help us investigate corruption, expose injustice and uncover the truth.
As one of the only independent investigations units in the country, we work for you – but we need your help to keep going. We need to raise £10,000 to continue our groundbreaking investigations. Can you chip in?