Increasing risk of cyber attack facing Bristol City Council

An increasing risk of a cyber attack is facing Bristol City Council due to delayed critical IT updates. Millions will soon be spent on updating many IT systems the council uses, but some updates will only come after current systems stop being protected from viruses.

A crucial gap lies in between when current software — used for work like managing repair jobs in council flats — reaches the end of its life, and when the new software is rolled out. End-of-life software is a key target for cyber attacks, as new security patches are no longer created.

Once the software is eventually rolled out, due by May 2024, City Hall chiefs hope council services will become easier to use for tenants, staff and contractors. Currently some software is reportedly fiddly, difficult to use and often needs “time-consuming workarounds”.

The cabinet has signed off plans to spend £7.5m, choosing a preferred IT contractor to roll out new systems in the council’s housing department. This could result in a new app for tenants to use, and many processes like reporting issues becoming more automated. But concerns about delays to the roll out were raised at the cabinet meeting on February 7.

Labour councillor Tom Renhard, cabinet member for housing, said: “We have very old systems in IT across our housing and landlord services. They have been in dire need of an update for a long time — whether it’s our asset management tools, the systems with which customers report repair issues, the systems which allocate repair jobs, or tracking inventory.

“There’s still a long way to go. We know that implementing a new IT system can be very challenging and is not without its risks. But it will mean a much improved service for residents, much improved functionality for our staff as well, and more broadly it amalgamates a lot of systems into one provider.”

Software companies often provide maintenance patches to fix newly found security issues, to prevent hackers from exploiting any vulnerabilities and launching a cyber attack. Patches respond to emerging technology and hacker methods. But after a while, companies stop supporting old software with patches and bug fixes, and the software reaches end of life.

Spelling out the risk facing Bristol City Council, a cabinet report said: “We are clear that the main drivers for the programme are the age, inbuilt redundancy and cost of the current housing systems. They do not support current business processes as well as they could, so bring with them inherent issues around data and security vulnerabilities.”

The new IT updates are expected to save the council millions in automating many processes. For example, the council currently processes thousands of paper invoices from contractors each year, costing £25 for each invoice — even though the technology is readily available for processing them digitally and much more cheaply.

In January, Royal Mail was hit by a high-profile ransomware attack, temporarily preventing the postal service from sending parcels or letters abroad. In December last year, the Guardian was also hit by a ransomware attack, with personal data of the newspaper’s UK staff accessed. And in December 2021, hackers attacked Gloucester City Council.

Main photo: Betty Woolerton

Read next:

• Bristol Waste loses its third top boss in six months 
• Emma Edwards elected as leader of Bristol Green group
• Back garden builds on council estate could be solution to housing crisis

Listen to the Bristol24/7 Behind the Headlines podcast: