Redcar cyber-attack: how hackers crippled a UK council and exposed systemic risks
Inside the ransomware siege that paralyzed services and cost millions
In the pre-dawn chill of February 2020, an IT engineer raced through the empty streets of Redcar, a coastal town in north-east England. A concerning alert had triggered alarms on the council’s network. By the time he reached the servers, it was already too late.
A ransomware attack had locked down Redcar and Cleveland Council’s entire digital infrastructure — halting bin collection services, social care, and communications with police and the NHS. The demand: a multimillion-dollar ransom in exchange for returning access.
“The destruction of our systems was total,” recalled then-council leader Mary Lanigan, who later testified that the attack cost £11.3 million to recover from — with only £3.68 million reimbursed by the UK government.
The attack was among the first high-profile examples of how local government systems could be brought to a standstill — a harbinger of the ransomware wave that would hit hundreds of UK institutions over the next few years.
From phishing email to total shutdown
Days before the breach, an email with a seemingly routine attachment slipped into a council inbox. Embedded in it was malicious code that quietly infiltrated the network, lying dormant until remotely triggered.
By the morning of Saturday 8 February, the virus had propagated across the council’s servers, encrypting data and locking out staff. By 11:00 GMT, the council website was down. “There wasn’t a lot we could do,” said Lanigan. “We had to bring in extra phones just so people could contact us.”
Behind the scenes, staff scrambled. IT technicians were removing infected computers desk by desk, while GCHQ’s National Cyber Security Centre (NCSC) weighed in on the scale of the breach.
Ciaran Martin, then head of the NCSC, called it an “unusually serious” incident and dispatched cyber officers to assist Redcar directly — an extremely rare move. As services failed and support for vulnerable residents collapsed, the crisis escalated into a national issue.
Social care collapse: families left waiting
Among the most damaging effects was the shutdown of social services. Council workers lost access to records critical for safeguarding vulnerable children and elderly citizens.
One local couple, Paul and Clare, described their ordeal. Clare suffers from a functional neurological disorder and relied on council care services. “It was all handwritten notes. You’d wait for hours on the phone. It was a nightmare,” said Paul, who left his job to become her full-time carer.
They waited months for services to resume. For them and many others, the cyber-attack translated into real-world harm — a point echoed by cyber experts who warn that ransomware isn’t just a data issue, but a threat to public welfare.
The ransom, the rebuild, and the fallout
On Tuesday 11 February, the hackers delivered their ransom demand. The figure was never disclosed, but experts estimate it was likely in the “low single-digit millions of US dollars.”
Lanigan was firm: “There was no way I was paying any ransom to anybody.” That same week, the UK government convened a Cobra emergency meeting — signaling the scale of concern at the highest levels.
Instead of giving in, Redcar began a laborious rebuild. By May 2020, only 90% of systems had been restored. Full recovery took ten months, with large parts of the system rebuilt from scratch.
A council spokesperson later admitted that while they held general insurance, there was no specific cyber-attack coverage — a vulnerability still seen across many UK public institutions. According to the Information Commissioner’s Office, there were 202 ransomware attacks on local councils in 2024 alone.
Related: New U.S. rules ease reporting for self-driving cars to boost innovation — as tech adoption grows, so do risks in digital governance.
Who was behind the Redcar attack?
It would be years before credible leads emerged. In 2022, after Russia's invasion of Ukraine, pro-Ukrainian hackers leaked internal messages from the Conti Group, a notorious ransomware syndicate based in Russia. The leaked files linked Conti to attacks on multiple UK targets — including Redcar and Cleveland.
In 2023, the UK and US governments sanctioned a group of Russian hackers believed to be involved in the Redcar breach and others targeting schools, businesses, and councils.
Former NCSC chief Martin warned that attacks like this could be a dress rehearsal for broader sabotage by hostile nations. “What happens if ten Redcars are hit at once? Or a hundred? That’s not inconceivable,” he said.
Is the UK public sector ready?
Despite lessons from Redcar, many councils remain vulnerable. The UK government claims it is investing in local cyber defences — but the gap in insurance, preparedness, and digital resilience remains glaring.
The Redcar case is now taught in cybersecurity courses as a blueprint for worst-case scenarios in local governance. It’s also part of the growing body of evidence showing that even seemingly minor cyber intrusions can have cascading consequences — from missed care visits to stalled criminal investigations.
Related: Is the UK about to force Apple to reveal all of your encrypted data?
As digitisation continues across the public sector, Redcar stands as a stark warning. It wasn’t just a council that got hacked — it was an entire community’s ability to function that came under siege.
Stay tuned to The Horizons Times for further investigations into cyber threats, data security, and the resilience of public services.
Leave a Comment