ICO confirms data breach reports from Kent councils
Incident appears to be linked to a shared IT supplier
The Information Commissioner's Office (ICO) has received a data breach report from three Kent councils, which continue to grapple with the aftermath of a cyberattack.
Canterbury, Dover and Thanet councils remain hampered by disrupted online services following an unspecified "cyber incident" that struck last week.
While initial reports suggested no breach of customer data, the ICO told Tech Crunch on Friday that it had received breach reports from the three councils.
"We have received breach report forms from three Kent Councils who form a three-way partnering service: Thanet District Council, Dover District Council and Canterbury County Council, and will be making enquiries," said spokesperson Rashana Vigerstaff.
The incident appears to be linked to East Kent Services (EKS), a collaborative IT and HR services provider all three councils use.
Despite the outage, EKS has remained silent, offering no public statement about the nature or impact of the cyberattack.
Security researcher Kevin Beaumont shed light on a possible connection between the attack and the offline status of EKS' Pulse Secure VPN server, hinting at vulnerabilities in widely-used corporate VPN appliances.
Fallout
Canterbury City Council's online payment systems, facilitated by EKS, remains inaccessible, with knock-on effects on other services:
"You won't be able to apply for, report something or pay for most services online at the moment while we investigate a cyber incident. You also cannot use our online maps. You can still pay your council tax, rent or business rates," says a statement on the Council's website.
The council is working with the National Cyber Security Centre (NCSC) to investigate the incident, and has implemented precautionary measures to mitigate service disruptions.
Dover District Council also continues to wrestle with technical issues, particularly in its benefits and tax portals.
Thanet District Council said it is experiencing technical difficulties with online forms and planning applications.
It has taken a proactive approach, limiting access to certain online systems following security concerns.
Some media reports have drawn links between EKS and Civica, which have worked together in some service areas since 2018. In statements, Canterbury and Thanet councils clarified that their IT services are not provided by Civica. Rather, Civica only processes revenues, benefits, debt collection and customer services on their behalf.
A spokesperson for Civica told Computer Weekly: "We can confirm that this incident was not caused by any of our systems."
"We will support affected customers if requested and assist in any way we can to minimise the impact for them and the citizens they serve."