Hackney Council Ransomware Attack 2020: The Pysa Attack That Took Two Years to Recover From
In October 2020, Hackney London Borough Council was struck by the Pysa ransomware group — one of the most damaging cyber attacks ever suffered by a UK local authority. Resident data was exfiltrated and published on the dark web. Housing benefit payments were disrupted. Council tax services were degraded. Recovery took approximately two years and cost millions. The Hackney attack became the benchmark case study for why UK local authorities must invest in cyber resilience.
Hackney Council's 2020 Pysa ransomware attack took approximately two years to fully recover from — resident data including sensitive personal information was published on the dark web.
What Happened at Hackney Council
The Pysa ransomware group — also known as Mespinoza — attacked Hackney Council in October 2020. The attackers gained access to the council's network, exfiltrated significant volumes of sensitive data, and then deployed ransomware that encrypted council systems. Affected services included housing benefit processing, council tax, planning applications, and key council databases. The attack was not simply an IT incident: it disrupted services to some of London's most vulnerable residents.
The Data Leak and Its Impact on Residents
Pysa operated a double-extortion model — exfiltrating data before encrypting systems, then threatening to publish it if the ransom was not paid. Hackney did not pay. The attackers published stolen data on their dark web leak site. The leaked data reportedly included sensitive personal information about council staff and residents — including data relating to social care, housing, and council operations. The ICO investigated the breach.
The Recovery Process
Recovery from the Hackney attack was a multi-year process. The council rebuilt systems progressively, prioritising essential public services. Some council systems remained degraded or unavailable for many months. The attack demonstrated the operational scale of recovering from a major ransomware incident for a large metropolitan borough — a task requiring sustained investment, technical expertise, and political support.
Lessons for UK Local Authorities
The Hackney attack reinforced several critical lessons:
- Ransomware groups target councils and exfiltrate data before encrypting — prevention must focus on detection and lateral movement control, not just perimeter defence
- Recovery without tested backups takes years — immutable, tested backup capabilities are essential
- Resident services depend on council IT — cyber incidents have real human consequences for vulnerable people
- Political and communications planning must be part of incident response — not an afterthought
- Post-incident remediation requires sustained investment — it is not a quick fix
Frequently Asked Questions
Did Hackney Council pay the Pysa ransom?
Hackney Council has not confirmed paying a ransom. The council focused on recovery through its own capabilities. The Pysa group subsequently published stolen Hackney data on their dark web leak site — consistent with their double-extortion model when ransoms are not paid.
Was Hackney Council fined by the ICO for the ransomware attack?
The ICO investigated the Hackney Council breach. The ICO's approach to public sector enforcement has evolved — it has moved towards issuing reprimands rather than large fines for public authorities, recognising that fines ultimately come from public funds. Councils should focus on the operational and reputational consequences of incidents rather than assuming enforcement is the primary risk.
How can councils protect against the Pysa/Mespinoza ransomware group?
Pysa typically gains initial access through phishing or exploitation of internet-facing systems, then conducts extended reconnaissance before deploying ransomware. Defences include: MFA on all accounts (blocks most credential-based access), EDR to detect lateral movement, network segmentation to limit spread, and immutable backups to enable recovery. Regular vulnerability scanning to identify exposed systems is also critical.
Make your council ransomware-resilient
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.