Recovering from the cyber attack which severely disrupted public services has cost Gloucester City Council £1.14million.

The hack in late 2021 saw Russian criminals hold the council to ransom using a malicious computer programme to encrypt their files.

It resulted in months of chaos and the council having to spend 18 months rebuilding its servers and getting services back up and running fully.

A new report into the attack has revealed more details of how the criminals gained access, the total cost to taxpayers and how  the council plans to prevent it happening again.

It said the organised crime gang gained access to council systems using a spear phishing email received on November 24, 2021.

It was designed to look like part of an ongoing conversation with one of the council's suppliers and contained a link which was used to create a "hidden backdoor " into the council's network and launch the attack.

An investigation found around 230GB or 240,000 files were stolen and that residents personal information may have been compromised.

Hackers ransom note demanded the council pay up or data would be released and the council's files and systems would be left unusable.

The report said: "In line with NCSC guidance, no attempt was made to contact or negotiate with the attackers or to pay the ransom."

To date no information stolen in the attack has been found published online.

The impact of the breach was "immediate and extremely significant" making almost every council system inaccessible and left most services unable to function effectively.

Developers faced delays in planning applications, business licences could not be processed, property purchases were impacted, benefits payments, purchases, invoices and payments all had to be processed manually and online forms could not be used, causing widespread delays.

The council only had limited budget information throughout the year, increasing the workload for the finance team and managers.

The report by council officer Iain Stark, head of transformation and commissioning, said: "Over time staff were able to create innovative work arounds to keep services functioning, however for a significant period while systems were either offline or being rebuilt, services were either unable to deliver to residents or were substantially slower."

The survey in March 2023 found almost half of council staff felt their personal morale had been affected during the incident and 32% still felt affected by the attack.

Since the attack the authority has had to rebuild all of its computer servers, a process which was complicated by the council's move to Eastgate Offices in 2022 and the Civica ending its IT services in February 2022.

The report, Impact, Recovery and Lessons Learnt from the Cyber Attack in December 2021, is due before councillors at a meeting on Monday (Nov 27)

It shows the council has paid a total of £728,352.63 for specialist security consultants, software and support to aid its recovery. The council received £250,000 in grant funding from the Government and LGA towards these costs.

Replacement of servers, firewalls, laptops and other key equipment has cost £141,701.68 and migration of systems to cloud hosting cost £272,400.21.

The council was told earlier this year it will not be fined for the incident but but received a "slap on the wrist" from the Information Commissioner's Office

Its "reprimand" said the council could have prevented or reduced the impact of the attack if had better security systems in place and made recommendations to help prevent it happening again.

The council has drawn up a list of "lessons learnt" from that attack which includes a review of cyber incident response procedures for the whole council and carrying out simulated cyber and disaster exercises to test the council's plans.

The report said: "There is a challenge to restore faith and trust in technology and data security with staff, councillors, partners and the public.

"This can only be earned by demonstrating, living and championing the cyber lessons from the attack and industry best practice."

In February 2023, the UK Government took action against individuals connected with the criminal gang suspected of carrying out this attack.