Investigation into Hackney Council data breach found serious security failures

In October 2020, Hackney Council experienced a significant cyber-attack that compromised the personal data of approximately 280,000 individuals, including local residents and staff. The Information Commissioner’s Office (ICO) – which is the UK’s data protection watchdog – has since conducted an investigation into the breach, revealing serious security failures within the council’s systems.

What did the ICO have to say about the Hackney Council data breach?

The ICO’s investigation uncovered that hackers accessed and encrypted around 440,000 files, some of which contained sensitive personal information such as:

  • Racial or ethnic origin
  • Religious beliefs
  • Sexual orientation
  • Health data
  • Economic data
  • Criminal offence data
  • Basic personal identifiers like names and addresses

Identified security failures

The ICO identified critical lapses in Hackney Council’s data protection measures, including:

  • Inadequate patch management: The council failed to ensure that security patches were consistently applied across all devices.
  • Dormant accounts with weak credentials: An inactive account with an insecure password remained connected to the council’s servers, which the attackers exploited.

Commenting on the breach, Stephen Bonner, Deputy Commissioner at the ICO, stated:

“This was a clear and avoidable error from London Borough of Hackney, one that has resulted in a mass loss of data and has had a severely detrimental impact on many residents. At its absolute worst, this has meant that some of the most deeply personal information possible has ended up in the hands of the attackers.”

The council said it did not accept the ICO’s findings and that it had not violated its security obligations.

Will Hackney Council have to pay a fine?

Despite the severity of the breach, Hackney Council has not been fined by the ICO. Instead, it has been issued with a formal reprimand. So, while the council has been criticised for its security failings, it will not face financial penalties.

This decision has sparked concerns about whether Hackney Council has gotten off lightly. With thousands of residents affected and highly sensitive data compromised, many believe that stronger action should have been taken to hold the council accountable. While a fine would not undo the damage, it would serve as a deterrent to other councils and organisations handling vast amounts of personal data.

But it is not too late to hold the council responsible. Data protection laws exist to ensure organisations take the necessary steps to safeguard personal information. If they fail in this duty, those affected have the right to seek justice and make a compensation claim.

Claim no-win, no-fee compensation for the Hackney Council data breach

If your personal information was breached in the Hackney Council data breach, you could be entitled to compensation. Holding organisations accountable for poor data security is crucial, and you have the right to seek redress if your data has been compromised.

Check your eligibility today. It’s fast, free, and there is no obligation to proceed.

Check my eligibility now

You may also like:

Thousands of drivers given permission to sue BMW for illegal emissions devices

In January 2024, the High Court ruled that drivers could sue BMW for fitting some diesel vehicles with devices that tricked emissions tests. The illegal devices made it seem like BMW’s diesel cars were less-polluting than they actually were.

Asda equal pay claim: Can store workers fight for fair wages?

Asda store workers may be underpaid. Check if you qualify for an equal pay claim and take action to seek the compensation you deserve.

Capita data breach: Legal response & ongoing investigations

Capita’s data breach exposed pension holders’ personal data. Stay updated on the latest legal action, investigations, and regulatory responses.

You might also like

See more resources

Several bottles of Johnson's baby powder on a store shelf, symbolising the Johnson and Johnson talc lawsuit over alleged asbestos contamination and cancer risks.
  • News, Product Liability

Johnson & Johnson talc lawsuit in the UK: What you need to know

A UK lawsuit claims Johnson & Johnson’s talc products cause cancer. Learn about the case,...
Low-angle view of people walking in a city, symbolising unity and collective action, related to key facts about group litigation for seeking justice.
  • News

10 must-know facts about group litigation for first-time claimants

Discover 10 essential facts about group litigation for first-time claimants. Learn how joining a group...
  • News, Travel

Flight cancelled or delayed for 3+ hours? You could be due compensation!

Flight delays and cancellations can completely disrupt your travel plans, costing you time, money, and...

Did you know we have a newsletter?

Sign up for our newsletter to stay up to date.

We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.

claims
About
Legal
Connect

Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.

Join the claim is a registered trading name of Big on Media ltd. Big on Media is registered in the United Kingdom under licence number 09878028 with its registered office located at Big on Media, 6 Sunderland Street, Tickhill, Doncaster, DN11 9QJ

© Join the Claim All Rights Reserved | 2025

Go to claims