Wellingborough and East Northants councils have been hit by a cyber attack just weeks after both councils were given limited assurance by auditors on their IT security.
Both councils had to take their systems offline for at least 24 hours earlier this week after an email phishing scam. Councillors and staff have had to change their passwords in an effort to tighten security.
A spokesman for the council said: “We could have accessed all systems but as a precautionary measure we restricted access for a short time to ensure there was no risk. No services to residents were affected.
“Our internal ICT team has carried out an investigation into this matter and followed the necessary measures to manage this.”
An email which went out from East Northamptonshire Council to contacts on its email list yesterday (Aug 1) said: “As you may be aware, East Northamptonshire Council was subject to an email phishing attack on Tuesday 30 July.
“Our internal ICT team has carried out an investigation into this matter and followed the necessary measures to manage this. We are now in ongoing discussion with the Information Commissioner’s Office regarding this situation.
“We would advise anyone who has received a suspicious email from one of our colleagues to delete this immediately. If you opened the link and entered your personal details please alert your email provider and seek support.”
East Northamptonshire council provides a shared IT service to neighbouring Wellingborough Council.
East Northamptonshire’s internal auditors LGSS said in its July audit report that the cyber security issues was 'considered to pose a major organisational risk.'
The audit, which was published last month, says: “The audit of cyber security audit highlighted weaknesses which required urgent action by management. Assurance has been provided that a detailed action plan was agreed and is being implemented to ensure the organisation’s resilience and security in this area. This will be subject to ongoing Internal Audit review and follow up work in 2019/20.”
A report from auditors about the cyber risk was discussed in an exempt session.
The corporate risk register for the council said the likelihood of attack was very high and the organisational impact would be very high.
Wellingborough Council’s limited assurance audit was discussed in a private session of the council last month which the press and public were unable to attend.