Published: 16:00, 01 June 2020
| Updated: 16:26, 01 June 2020
A criminal gang demanded an £800,000 Bitcoin ransom from a Kent County Council-owned company in a cyber attack - and then leaked private information on the dark web.
The assailants encrypted a "significant number" of systems and data from Kent Commercial Services Group (KCS) in the operation on April 2.
No ransom was paid by KCS which is wholly owned by KCC but operates independently from the county council, however some of the stolen data was leaked on the dark web by the criminals that carried out the attack.
Chief executive John Burr said: "The timing of this attack is particularly malicious and challenging given the current Covid-19 pandemic."
No personal data relating to KCC operations or taxpayers was stolen and the firm is working "flat out" to get all systems back online, CSG confirmed.
The firm, based in New Hythe Lane, Aylesford, is described as one of the largest trading organisations of its kind in the UK and was set up nearly 70 years ago by KCC. It has an annual revenue of around £350million.
Around 700 staff work at the company, which delivers key services to public authorities, emergency services and schools, including gas and electric provision, educational and office supplies as well as vehicle servicing and repairs.
It has also undertaken additional roles to support Covid-19 initiatives, including supply and distribution of personal protective equipment (PPE), masks, gloves and clothing to local and health authorities and emergency services.
The Local Democracy Reporting Service understands a high-level security breach avoided three levels of professional IT security at KCS.
A spokesman for KCS said: "The attack bears the hallmarks of starting with a phishing email that was used to introduce a virus that then compromised the network for further attack."
The sophisticated attack allowed the criminals to access KCS systems and encrypt a large amount of data.
A ransom note was later issued as the gang demanded a payment of £800,000 in Bitcoins to release and repair the firm's systems.
The stolen data that was put on the dark web was found to contain business and corporate information relating to KCS's business activities.
Mr Burr said: "Cantium business solutions (our sister company) and other retained cyber-security specialists are working flat out to restore the systems and limit any impact this crime might have on its staff, customers and suppliers.
"In particular, the company is using interim work arounds to ensure that our customers continue to receive essential services at this vital time."
In addition, KCS says it will "take learning from the incident" as it took over four weeks for the majority of systems affected to be put back online.
The remaining systems are expected to "go live" in the next two weeks.
“Organisations must make cyber security a top priority and ensure the personal information they acquire and handle is protected from criminals."
They add: "Additional security measures are being built into the new systems as well as the new infrastructure."
Following a review by the ICO, the government agency in charge of upholding information rights, KCS was told that no legal action would be taken against it. The case has now been closed by the ICO.
An ICO spokesman said: “Organisations must make cyber security a top priority and ensure the personal information they acquire and handle is protected from criminals.
“We were made aware of this incident and looked into the details. We provided data protection advice to the organisation and concluded no further action was necessary at this time.”