Another year and yet another UK local authority has been pwned by a ransomware crew. This time it’s Gateshead Council in North East England at the hands of the Medusa group.

The council confirmed that police were investigating the “cybersecurity incident” on January 15, a few short hours after Medusa placed “stolen” documents on its data leak site.

Gateshead said the attackers gained access to its systems on January 8, that officers have been working on the case since then, and that some personal data “has been infringed.”

Medusa uploaded a 31-page slideshow on its site comprising various documents it claims to have stolen from Gateshead council. A cursory examination shows personally identifiable information (PII) in the form of full names, email addresses, home and mobile phone numbers, home addresses, employment histories, and more.

The types of documents already on display include job applications and internal spreadsheets concerning departmental budgets, sums of money owed to adult social carers, and reports about individuals’ eligibility for public housing.

Both residents and public sector staff appear to be affected by the leak.

Gateshead said the incident is now contained and it has notified the Information Commissioner’s Office (ICO).

In a statement sent to The Register, Mike Barker, strategic director for corporate services and governance at Gateshead Council, said:

“We have taken immediate remedial action to limit data loss and business continues as usual now we have isolated this incident, but investigations continue into this.

“Work is ongoing with relevant parties to understand how this incident happened and any wider implications it may have.

“A number of files have been accessed as part of this incident and we are now contacting those people impacted directly to ensure they are protected from any further harm. The police are also investigating this as a crime.

“Incidents of this nature unfortunately are on the rise, with many organizations like ours already having dealt with such situations.

“Our robust security measures have meant the potential damage this could have caused has been mitigated and we are still able to operate our day-to-day business activities.

“Protecting the public is our top priority and I want to reassure our residents and stakeholders we take such situations extremely seriously.”

Residents were advised to be vigilant to potential phishing attempts and other fraudulent activity. They were also told to review passwords to ensure they are strong and unique, and to change them if there are signs of compromise.

“We will be providing updates as part of the ongoing response to this incident and if we discover your data is at risk we will contact you directly,” Barker added.

“As investigations continue there is a possibility of further issues arising, and we will work to mitigate this should that be the case. Investigations so far have not indicated there is any further damage caused, but we need to be open to the possibility.”

Medusa’s site indicates that it’s demanding a $600,000 ransom payment for the deletion of data, although security experts routinely warn that criminals’ promises to delete data are rarely genuine.

The Register requested further details from Gateshead Council but it declined to provide them.

UK public sector organizations are regularly targeted by organized cybercrime crews. Leicester City Council was hit by ransomware in March 2024, with INC taking credit.

Since then, scores of other councils have been batting away DDoS attacks from NoName057(16), while various hospitals across the British Isles were also affected.

The latest news closely follows the UK government’s announcement that it will spend the next 12 weeks considering a potential blanket ban on ransom payments in the public sector.

The Home Office said the consultation began on January 14 and will run until April 8. It will consider a number of potential steps forward in the fight against ransomware.

In addition to a potential ban on public sector payments, the consultation will also decide whether to require commercial organizations of a certain size to apply for a license to pay ransom demands. 

The license would be approved at the discretion of His Majesty’s Government and would likely be modeled similarly to Australia’s equivalent, which came into force in November 2024.

The approach taken by the Aussies applies to any organization with an annual turnover of AU$3 million ($1.845 million) or more per year – around 6.56 percent of the country’s biggest fish. ®