Multiple cyber attacks on public sector not reported to the police

Successful cyber attacks on Yorkshire's NHS, councils and universities have not been reported to the police - even in cases where criminals have locked information and demanded ransom payments, an investigation by The Yorkshire Post has found.

It comes after the National Crime Agency warned the “under-reporting of cyber crime remains a key barrier to our understanding of its true scale and cost”.

The Mid Yorkshire Hospitals NHS Trust suffered two ransomware attacks last year in which data was encrypted on some departmental drives with demands for payment made to unlock it. While no payment was made and the information recovered from back-up systems, neither incident was reported to police. A spokesman said: “Two attacks were successful in the sense they breached the protections the trust had in place but not in the sense they compromised systems, led to stolen or breached data or led to a payment being made.”

Sign up to our daily newsletter

The i newsletter cut through the noise

Barnsley Council suffered 13 successful ransomware attacks since April 2016 but said none were reported to the police. In each case, no ransoms were paid, data was restored from back-up systems and accounts were “disabled and changed immediately to render any captured credentials of little use”.

Kirklees Council was subjected to two ransomware attacks in 2015/16, only one of which was reported to the authorities. A spokesman said: “Both incidents affected a single machine on each occasion but the single machine went on to infect shared drives on our network storage system.

“Each incident was contained because our monitoring systems showed faults and we had each PC located and removed from the network.”

Three of Yorkshire’s top universities also suffered almost 300 successful attacks in the 
last three years – not one of which was reported to police. The 
University of York recorded 237 incidents in which criminals had successfully attacked its IT systems. These included nine 
Distributed Denial of Service (DDOS) attacks, in which online services are shut down, and a further seven incidents in which servers were “compromised” by hackers.

The university said none of the attacks resulted in data being lost and none were reported. A spokesman for the university said: “We did not consider that any incident caused sufficient loss, either monetary or of data, to justify reporting to the police.”

The University of Huddersfield recorded 54 successful attempts, largely made up of ‘compromised individual accounts’ being used to send spam after email accounts were hacked into. Nothing was reported to the police “due to low level impact”. Leeds Beckett University was affected by three ransomware attacks last year. No data was stolen or payments made.