Three local authorities in Kent – Canterbury City Council, Dover District Council and Thanet District Council – have fallen victim to near-simultaneous and potentially linked cyber attacks, knocking multiple public-facing systems across Kent offline.
All three authorities are understood to be working alongside the National Cyber Security Centre (NCSC) on incident response and remediation.
In the case of Canterbury, Computer Weekly understands services including its planning department, online forms and maps have been taken offline, while Dover residents have lost access to online forms, and Thanet also appears to have lost its planning department and online forms.
In a coordinated statement, Canterbury and Dover’s councils said: “Our teams are taking a precautionary approach while we work hard to investigate the problem and to minimise any disruption to our services.
“Our email system and website have been available throughout, although some parts of the website may not quite work as intended. We are sorry for any inconvenience people may have experienced over the past few days, and will provide updates as and when we have them.”
A spokesperson for Thanet Council told reporters it had proactively limited access to its online systems following reports of an incident.
The precise nature of the attacks remains undisclosed, although they do bear some hallmarks of a ransomware incident. In this instance, the facts of the three victims’ proximity to one another, and the similar nature of the services impacted, indicate the attacks may share a common thread.
Stephen Robinson, senior threat intelligence analyst at WithSecure, said: “The three councils affected by this cyber attack all outsource their IT, revenues and benefits, and call centre services to Civica as part of the East Kent Services [EKS] shared services vehicle. It is very likely that this is where the incident occurred, which gives an indication of what services may have been affected and what data may have been accessed.
“There is also a concern as to whether this cyber attack impacted only EKS, or also Civica itself,” he said. “Service providers such as Civica are regularly targeted to enable what is known as a supply chain attack, where compromising a single service provider allows an attacker to compromise all of their customers at the same time, for a far more devastating and impactful attack.”
Canterbury, Dover and Thanet first came together to set up EKS in 2011, but outsourced it to Civica in 2018 in a seven-year deal that aimed to realise over £5m in savings, and saw over 200 employees from all three affected councils transfer to a central hub.
However, given Civica plans to exit the business process outsourcing (BPO) market, the contract will not be extended beyond January 2025, and the councils have been working on their next steps.
Computer Weekly reached out to Civica, but had not received a reply at the time of writing.
‘Ideal’ victims
Robinson said that given they hold sensitive data on local residents and provide time-critical services, local authorities in general make “ideal” victims for cyber criminals.
“Local councils not only perfectly fit this template, [but] they’ve also been operating under financial constraints which may have impacted their ability to keep their networks and digital services secure,” said Robinson. “Multiple local councils in the UK and abroad have been victims of cyber attacks in recent years, with no sign that such activity is slowing.”
Other recent cyber incidents to befall UK councils have included Comhairle nan Eilean Siar in Scotland and St Helens in Merseyside.
In a report published shortly before Christmas 2023, the parliamentary Joint Committee on the National Security Strategy warned of a lack of ransomware planning and preparedness pervading UK government at the highest levels, and said public services across the UK were essentially being held “hostage of fortune”.
The report made uncomfortable reading for local authorities, where the committee reported that many are still far too reliant on legacy IT systems that are neither secured nor updated.