Redcar and Cleveland Council Cyber Attack
Are our public services safe?
Redcar & Cleveland Council: Anatomy of a Ransomware Crisis
What happened?
In the early hours of Saturday 8 February 2020 a dormant piece of malicious code—planted weeks earlier in an email attachment—was remotely triggered on Redcar & Cleveland Borough Council’s network. Within minutes the ransomware encrypted servers, locked staff out of line-of-business applications and crippled telephony, email and the council’s public-facing website. Two working days later the attackers issued a multi-million-dollar ransom demand that the authority refused to pay. (BBC)
Timeline at a glance
| Date | Key developments |
|---|---|
| 8 Feb 2020 (Sat) | Full IT outage across council; website disappears; National Cyber Security Centre (NCSC) alerted |
| 10 Feb | Engineers physically remove infected PCs; social-care casework reverts to paper files |
| 11 Feb | Ransom demand received (undisclosed amount, “low single-digit millions” USD) |
| May 2020 | Council reports only “90 % operational” after three months’ work |
| Dec 2020 | Complete rebuild of IT estate finished—10 months after the incident |
| Jan 2023 | Parliamentary evidence session confirms total recovery bill of £11.3 million |
Sources: (BBC, BBC, Tech Monitor)
Impact on residents and local services
-
135,000 people lost access to digital public services almost overnight. Online planning searches, housing-complaint portals, social-care advice and appointment systems all went dark. (BBC)
-
Phone lines were saturated; staff issued extra handsets but still faced multi-hour queues. (BBC)
-
Social-workers and adult-care teams could not view electronic case notes. Vulnerable residents waited weeks or months for assessments; one carer had to quit his job to look after his wife because equipment requests stalled. (BBC)
-
Routine operations—from bin-collection complaints to birth registrations—reverted to pen-and-paper, extending turnaround times and increasing error risk. (BBC)
-
Financially the council faced an immediate cash-flow squeeze: lost enforcement income and delayed council-tax collection added more than £1 million to the direct IT recovery bill. (BBC)
The price tag
Initial internal estimates put the cost at £10.4 million (August 2020). A subsequent parliamentary submission revised this to £11.3 million, of which only £3.6 million was reimbursed by central government; the balance came straight from local reserves earmarked for frontline services. (BBC, Tech Monitor)
Why it mattered beyond Teesside
Redcar & Cleveland became an uncomfortable proof-point for the UK public sector: ransomware can remove an entire local authority from the digital grid for months, jeopardising safeguarding decisions, disrupting policing data-flows and eroding public trust. NCSC specialists later warned that simultaneous attacks on multiple councils could “wreck lives” on a national scale. (BBC)
Bottom line:
Cyber-resilience is not a budget line—it’s an operational prerequisite. The Redcar incident proved that recovery can dwarf the cost of prevention and, more importantly, that service interruption quickly translates into real-world harm for citizens. Treat ransomware readiness as a board-level duty of care; anything less is an invitation to become the next cautionary tale.
Building Real-World Cyber-Resilience: Six Non-Negotiables
-
Assume compromise and segment accordingly. Flat, fully-integrated networks were a key weakness in Redcar. Break environments into logical zones with strict east-west traffic filtering.
-
Harden email and identity first. Implement advanced attachment sandboxing, DMARC, MFA for all users and conditional access policies.
-
Maintain immutable, offline backups. Test bare-metal restoration regularly and store recovery playbooks where ransomware can’t reach them.
-
Practise your worst day. Conduct red-team exercises and tabletop scenarios that include executive, legal, comms and third-party suppliers. Recovery-time assumptions must be evidence-based, not optimistic.
-
Invest in detection and response tooling—plus people. Endpoint detection & response (EDR), centralised log-analysis and 24 × 7 monitoring cut the dwell-time attackers need to stage large-scale encryption.
-
Plan the business, not just the tech. Map every critical service to manual fall-backs (paper forms, alternative telephony), pre-draft public messaging and clarify decision-making authority on ransom payment, insurance claims and regulatory disclosure.
How can we help?
- Understand your current cyber resilience level and get actionable insights into improving your protection with a cyber threat and risk assessment.
- Are you prepared? Review your incident response plans, business continuity arrangements and your disaster recovery capability.