A council leader has told a Parliamentary inquiry that it was her decision not to pay a ransom demand of several million pounds to hackers responsible for a “catastrophic” cyber attack.

Mary Lanigan, who leads Redcar and Cleveland Council, spoke at a national security strategy joint committee hearing gathering evidence on ransomware attacks.

Councillor Lanigan said she had “put her foot down” and said no to the demand with the council not being able to afford the payment and fearing the potential impact on other local authorities.

Answering questions from committee members about the incident in February 2020, which downed computer systems and forced the council’s website offline, Cllr Lanigan also stated that "The council had no insurance to cover itself against the financial impact of a cyber attack" and had received a "clean bill of health" just two months prior in terms of its IT security.

The Government response "wasn’t good" and the local authority was initially “left to our own devices” until officials realised the seriousness of the situation.

Read more: bp launches 20 paid scholarships with Redcar and Cleveland College

She was told not to speak about the incident and would “go public” with residents and the media were the same to happen again.

Cllr Lanigan also repeated previous claims that the council had been effectively misled and that a Government minister had said all of its costs would be met, which turned out not to be the case.

The council eventually received a £3.68m grant in April 2021, although this fell well short of the overall cost to the council which Cllr Lanigan said was £11.3m.

Last year the then Department for Housing, Communities and Local Government – now the Department for Levelling Up, Housing and Communities – told the Local Democracy Reporting Service that it had no record of such a promise ever being made.

The joint committee, chaired by veteran Labour MP Dame Margaret Beckett, began an inquiry in October into ransomware attacks, the aim being to gather information from victims and on the state of the cyber insurance market, and elicit views on any areas for potential reform with regard to the Government’s approach.

Cllr Lanigan claimed the council had received a “clean bill of health” two months prior to the incident and did not think it was at risk.

She described how a member of IT staff discovered something that “didn’t look right” and “pulled the plug” with it later emerging the virus – which was hidden in an e-mail attachment downloaded onto a council laptop – had already been present in council computer systems for two weeks.

Read more: Tees crab deaths: MPs call for study into possible novel pathogen

She said: “It was a Saturday morning, I’d just got out of my bed, and my managing director rang me and said ‘We’ve been hit by a cyber attack’, everything has been pulled.

“I went down, staff were called in, and we immediately realised the seriousness of the incident and informed the central Government, with GCHQ being contacted.

“But we were actually left to our own devices for the first week or so and had to bring in our own private [cyber] security.

“That not getting on top of it straight away delayed us further down the road.

“Central Government did then step in to see what they could do and realised just how serious the situation was.”

Describing the impact of the attack on council systems, she said: “We lost everything, the whole lot, it was catastrophic.

“I had staff actually writing on pieces of paper, things that had not been done from decades before.

“It was devastating not just for staff, but the residents.

“We could not take in payments for rates or bills, we had no records or documents, we had no telephone service or e-mails, no functioning computers.

“GCHQ came up to help us, working alongside IT staff, and they actually stayed in the building, we put beds in for them.

Read more: Tees Valley Mayor: Tory peer didn’t declare donations

“The cost to the local authority was massive, we had to bring in external expertise and put new systems in.

“It took us eight and-a-half months to fully put things back together.”

Cllr Lanigan said a Government minister told her that “whatever it is, we will meet the cost”, but it did not work out that way.

She said: “The message was there wasn’t an issue – we should have recorded this from the go and got it in black and white in writing.

“I now tell councils that they should get an agreement of what they [the Government] are going to cover and what they are not, because it cost a great deal of money we could ill afford.”

She said the financial costs had been huge, with the council dipping into its reserves to help cover the shortfall.

Cllr Lanigan said: “It really put us on the backfoot and the reserves are still not back to where they need to be.

“Redcar and Cleveland Council also wasn’t insured for this – there are a lot of things that local authorities don’t get insured for.

“The cost of the insurance is massive and you don’t think this is going to happen to you.”

The council leader said it had been left to her discretion as to whether the ransom demanded by the hackers would be paid, but she chose not to.

She said: “If I had done that, would they have hit the other local authorities?

“Their thinking being that this council has paid if you like so the others will pay as well.

“Being a Yorkshire woman, you tend to put your foot down.

“We had a communication to say that they [the attackers] wanted several million and if you give us the money we remove the virus.

“However the system itself was that devastated that we felt it had gone beyond that we could pull anything back.

“We also wasn’t in a position to pay – and had we have done and they were already into our systems, could they have done it again?”

Read more: Rishi Sunak issues plea to North East families affected by knife crime

Cllr Lanigan also expressed frustration over being told by Government officials not to speak to the media about the incident when it was in its early stages, “which made it very difficult”.

Lady Neville-Jones, a member of the committee, asked Cllr Lanigan whether this approach had been right.

She replied: “With hindsight I’d do it differently and go public.

“The secrecy simply annoyed some of the other councils and partners we were working with.

“The Press were all over this – they knew the attack had happened – and were badgering us.

“We were trying to keep under wraps how serious it was, when local Government need to be open with residents.

“I know it was a criminal act and the police were involved, but if it happened again I would question why Government were saying to me ‘Don’t tell anybody Mary’ because I don’t think it was helpful and going forward we need to be more open.”

Cllr Lanigan claimed the police and Government were aware of the source of the cyber attack, which was internationally based.

She said: “I understand they have no extradition or ways of bringing these people to account.”

She said there had been a lot of communication with other councils in England and Wales about the circumstances her council had faced so it could share its experience and give advice on actions being taken elsewhere.

Cllr Lanigan said that rather than one big combined computer system being in place for all council functions, as previously had been the case in Redcar and Cleveland, it had now been split with service areas and the likes of payroll all operating separately with backups also in place.

If you want to read more great stories, why not subscribe to The Northern Echo for as little as £1.25 a week. Click here.

“It’s been a learning curve and we can help everyone else with our experience, which was absolutely devastating,” she said.

She also described how council members were now being regularly made aware of the risks in opening email attachments.

“Maybe we were lax in that, but now we have upped our game,” she said.

Asked for her view on the Government’s response by another committee member, she said it “wasn’t good”.

She said: “We took advice, but it didn’t work out very well.

“It would be helpful if Government could provide more guidelines, they’re not at the top of their game.”

Responding to Cllr Lanigan’s evidence, a Government spokeswoman said: “The National Cyber Security Centre (NCSC) worked to support Redcar and Cleveland Council as soon as this incident occurred, including sending a team to provide on-site advice.

“The NCSC continued to help with coordination with wider government and law enforcement and remained in regular contact throughout.

Read next: 

“In addition to £3.6m in direct funding to help with the costs of this incident, the Government has offered the council an extra £1.2m in capital flexibility.”

The Government said it was funding more than £37m to tackle cyber security challenges facing councils and invest in local authority cyber resilience, protecting vital services and data.

It said an ‘active cyber defence’ programme was available from the NCSC, offering a range of services free to the public sector.