Hackney Council downplays data breach in disagreement with privacy regulator

In October 2020, Hackney Council experienced a devasting cyberattack that compromised the personal data of approximately 280,000 individuals and disrupted many of its services. The breach was so significant that it is still affecting the council over four years later.

Following an investigation into the cyberattack, the Information Commissioner’s Office (ICO) identified serious security failures within the council’s systems and reprimanded the local authority for its poor data security processes. However, Hackney Council has challenged these findings.

What is the ICO?

The ICO (Information Commissioner’s Office) is the UK’s independent regulator for data protection and privacy rights. It enforces the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring organisations handle personal data responsibly and securely.

The ICO has the power to investigate data breaches, issue fines, and take enforcement action against companies and public bodies that fail to protect people’s personal information. While it often imposes significant fines for serious security lapses, in some cases, it opts for a reprimand – a formal warning highlighting failures without financial penalties.

What did the ICO’s investigation into the Hackney Council find?

The ICO’s investigation found serious security failures in Hackney Council’s IT systems, which made it easier for hackers to access and encrypt sensitive data.

The watchdog determined Hackney Council had:

  • Failed to keep IT systems updated with the latest security patches – making them vulnerable to cyberattacks.
  • Allowed dormant accounts with weak credentials to remain active – one of which was exploited by hackers.
  • Not implemented adequate security measures to prevent unauthorised access to residents’ personal information.

Despite these findings, the ICO chose to reprimand Hackney Council rather than issue a fine. This decision has raised questions about whether the council has been held accountable properly, considering the severity of the breach and the risk it posed to thousands of residents.

What was Hackney Council’s response?

Despite getting off without having to pay a fine, Hackney Council expressed disagreement with the ICO’s conclusions. It denied breaching its security obligations, arguing that the ICO had misunderstood the facts, misapplied the law, and exaggerated the risk to residents’ data.

Hackney Council stated:

“While we welcome the ICO completing its investigation, we maintain that the Council has not breached its security obligations. We consider that the ICO has misunderstood the facts and misapplied the law with respect to the issues in question, and has mischaracterised and exaggerated the risk to residents’ data.”

A council spokesperson emphasised the complexity of modern IT systems and the evolving nature of cyber threats. They highlighted the council’s ongoing efforts to collaborate with national cybersecurity agencies and invest in modern, secure systems to protect public services.

Nevertheless, the council also refused to challenge the ICO’s decision, stating:

“It was not in our residents’ interests to use our limited resources to challenge the ICO’s decision.”

Reaction from the public and legal experts

Many legal experts disagree with Hackney Council’s bullish defence. While there is support for its focus on future cybersecurity improvements, critics argue that downplaying the ICO’s findings undermines the severity of the breach and its impact on affected individuals. If a private company had suffered a similar attack and failed to secure sensitive data, it would likely have faced a substantial fine rather than just a reprimand.

What are the risks for Hackney residents?

The long-term risks for Hackney residents affected by this data breach should not be ignored. Even though the attack happened in 2020, stolen personal data can still be used for fraud, identity theft, and online scams. In some cases, criminals hold onto stolen data for months or years before selling it or using it maliciously.

Potential risks include:

  • Identity theft – fraudsters could open credit accounts or take out loans in a resident’s name.
  • Targeted phishing scams – criminals may use stolen data to impersonate trusted organisations (such as banks or councils) and trick residents into revealing more information.
  • Financial fraud –bank details stolen in such scams may be used to attempt unauthorised transactions.
  • Exploitation of sensitive personal information – details about race, religion, health, or criminal records could be misused or exposed.

These risks make it crucial for affected residents to remain vigilant, monitor their bank accounts, and watch out for suspicious activity. However, the emotional toll of this constant vigilance should not be underestimated. The anxiety of knowing your personal data could be misused at any time can lead to stress, loss of trust in institutions, and a feeling of helplessness, particularly for those already in vulnerable situations.

Can you claim compensation for the Hackney Council data breach?

If your personal information was breached in the Hackney Council data breach, you could be entitled to compensation.

Answer a few quick questions now to see if you qualify to join the no-win, no-fee claim. If you qualify, we’ll update you on the next steps.

Check my eligibility now

You may also like:

Thousands of drivers given permission to sue BMW for illegal emissions devices

In January 2024, the High Court ruled that drivers could sue BMW for fitting some diesel vehicles with devices that tricked emissions tests. The illegal devices made it seem like BMW’s diesel cars were less-polluting than they actually were.

Asda equal pay claim: Can store workers fight for fair wages?

Asda store workers may be underpaid. Check if you qualify for an equal pay claim and take action to seek the compensation you deserve.

Capita data breach: Legal response & ongoing investigations

Capita’s data breach exposed pension holders’ personal data. Stay updated on the latest legal action, investigations, and regulatory responses.

You might also like

See more resources

Several bottles of Johnson's baby powder on a store shelf, symbolising the Johnson and Johnson talc lawsuit over alleged asbestos contamination and cancer risks.
  • News, Product Liability

Johnson & Johnson talc lawsuit in the UK: What you need to know

A UK lawsuit claims Johnson & Johnson’s talc products cause cancer. Learn about the case,...
Low-angle view of people walking in a city, symbolising unity and collective action, related to key facts about group litigation for seeking justice.
  • News

10 must-know facts about group litigation for first-time claimants

Discover 10 essential facts about group litigation for first-time claimants. Learn how joining a group...
  • News, Travel

Flight cancelled or delayed for 3+ hours? You could be due compensation!

Flight delays and cancellations can completely disrupt your travel plans, costing you time, money, and...

Did you know we have a newsletter?

Sign up for our newsletter to stay up to date.

We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.

claims
About
Legal
Connect

Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.

Join the claim is a registered trading name of Big on Media ltd. Big on Media is registered in the United Kingdom under licence number 09878028 with its registered office located at Big on Media, 6 Sunderland Street, Tickhill, Doncaster, DN11 9QJ

© Join the Claim All Rights Reserved | 2025

Go to claims