Tewkesbury Borough Council: managing a cyber incident

On 4 September 2024, Tewkesbury Borough Council detected suspicious activity on its network, which resulted in a complete shutdown of IT systems.

From the outset, our priority was clear: to ensure that the most vulnerable had access to the services they rely on. A major incident was declared on the rationale of needing to protect the data of residents and partners.

We immediately engaged with a leading cyber incident response specialist alongside the National Cyber Security Centre, to provide the highest assurance that our systems were safe and that the required investigations took place. Thankfully, this revealed that no personal data had been breached. It was largely recognised by partners that our quick response and decision making, along with our early engagement with partners, significantly aided the response and recovery processes.

It is important to point out that, while thorough security checks were carried out and officers were redeployed to address the incident, they were unable to progress their normal work. This inevitably resulted in backlogs. Yet, our staff worked tirelessly around the clock to find workarounds to continue to deliver services and bring our systems back online as quickly and safely as possible.

In addition, following the incident we have invested in upgrading our IT systems, equipment and cyber security. An action plan, including recommendations, timescales and outcomes, has been developed to ensure the identified lessons learned are implemented.

Our top priority will always be the safety of our residents and their data. I’d like to personally thank residents, businesses, staff and partners again for their patience and assistance throughout this challenging time.

Alistair Cunningham OBE

Chief Executive, Tewkesbury Borough Council

Nine months after Tewkesbury Borough Council was subject to a cyber security incident, the Local Government Association (LGA) interviewed nine key members of staff at the council to draw out their experiences and compiled these into this case study.

Key dates: The suspicious activity was flagged at around 2am on Wednesday 4 September, when it appeared that there was an unrecognised account performing a logon to an on-site device in the early hours of the morning. Further investigation found the account to be domain admin and Microsoft 365 showed what was believed to be vast amounts of 365 data being accessed. The decision to log off all Information Technology (IT) user accounts and shut down systems was made quickly that afternoon. That evening, the council mobilised its Strategic Command Group and alerted key partners such as the National Cyber Security Centre (NCSC), Ministry of Housing, Communities and Local Government (MHCLG), Department for Work and Pensions (DWP) and law enforcement agencies such as the Information Commissioner’s Office (ICO) and the police. Investigation into the incident continued until Wednesday 11 September, when it was confirmed there had not been a malicious actor on the system and there was no current cyber threat. The council was able to move back into a business-as-usual position by Monday 30 September.

Preparation: The council regularly responds to emergencies such as flooding events in the borough, and this increased the organisation’s preparedness to deal with a cyber incident. Services in the council also had business continuity plans in place, but these had not been tested for a cyber incident, nor did they include mitigation plans if digital systems were to be down for a long period of time.

Impact: On becoming aware of the incident, the council initially stood down all of its IT systems. This had a knock-on effect on the council’s ability to deliver some services, such as the revenues and benefits systems, which had not yet migrated from being on‑premise to being hosted in the cloud. For services that were cloud or externally hosted, partners working in the same building as the council provided clean laptops, enabling access to systems such as housing. Workarounds and generous laptop supply from the county council mitigated this. Fortunately, the council’s website, contact form and telephony system were also cloud‑hosted, so the council could communicate the incident externally and still respond to urgent resident queries. Once in recovery, the IT team undertook a rigorous process to assess the council’s servers, firewalls and devices for any cyber security threats before bringing systems back online and rolling out new devices.

Recovery: It took the council just under two weeks to move from responding to the cyber incident to reinstating a business-as-usual position across its IT systems. The response and recovery period might have been longer if the investigation had shown a malicious actor had accessed the council’s systems and data.

Lessons: The council demonstrated strong leadership and proactive, transparent crisis communication during the incident, which helped to build trust and assurance with communities and partners. However, the IT team faced significant pressures due to limited capacity and competing priorities for recovery. This was compounded by inconsistent cybersecurity monitoring practices and limited understanding of the council’s cyber insurance policy, which delayed its activation. Infrastructure challenges, such as a shortage of clean laptops, hindered staff productivity, though support from co-located police and the county council helped facilitate early response efforts. While the council managed the incident effectively, several gaps were identified in incident response and business continuity planning. This has prompted actions including developing a cyber playbook, improving access to continuity plans (with provisions for prolonged IT system disruption), and securing key partner contacts.

In September 2024, Tewkesbury Borough Council was subject to a cyber security incident, which impacted the availability of its IT systems and the typical operational activities of the organisation.

From June to July 2025, the Local Government Association (LGA) undertook a series of interviews with key council staff involved in the incident, to draw out their experiences, and these have been compiled to create this case study.

All of the interviews were conducted by Dave Sifleet and Sarah Slate from the LGA’s Cyber, Digital and Technology team. The semi-structured interviews took place via Microsoft Teams and used a single set of questions, which was sent to each participant before the interviews took place.

Those who took part in the interview were:

• Chief Executive
• Associate Director – IT, Cyber and Digital
• Executive Director – Resources and S151
• Associate Director – Finance and Deputy S151 / Monitoring Officer
• Director – Transformation
• Communications Manager
• Director – Corporate Services
• Head of Service – Housing
• Head of Customer, Programmes and Performance
• Head of Audit and Governance

Wednesday, 4 September - in the response phase

On Wednesday, 4 September 2024, at around 2am, Tewkesbury Borough Council’s IT team detected suspicious activity on its network that had been detected by its SIEM tool. Five unrecognised user accounts were found, that were potentially accessing data through these accounts across Office 365 applications. The Associate Director of IT, Cyber and Digital immediately briefed the Director of Transformation and the Chief Executive, who were attending a monthly Leadership meeting.

By 4pm, the decision was made to shut down all systems and declare a major incident, communicated to all staff via email (ahead of the systems shut down). This action aimed to protect the council’s most vulnerable residents, safeguard sensitive data, and prevent further risk. The council invoked its cyber insurance policy and notified key agencies including the ICO, NCSC, Action Fraud and the police.

The council proactively informed key government partners including the Local Digital team within the MHCLG and DWP, and neighbouring councils through Gloucester’s Local Resilience Forum (LRF). The Information Commissioner’s Office was also engaged with at this very early stage, due to the risk of a data breach.

The council activated its Strategic Command Group (SCG) and Incident Response Team (IRT), and later that evening launched ‘Operation Link’ to ensure partner agencies were informed. Due to limited access to technology, the police chaired both the Tactical Coordinating Group (TCG) and SCG.

The council established its response cell structure and collated all service area’s business continuity plans. Cells included: Vulnerable Persons, Communications, Cyber Technical Advisory Cell (CTAC), Multi-Agency Information Cell, Recovery, Secretariat, Customer, Operational, Staff Welfare, Finance and Legal. In-person heads of service briefings took place throughout the response, twice a week within the first week and once a week in the consequent weeks of response.

Committed to transparency, the Communications Cell reached out to media contacts and invited them to an over-the-phone media briefing the next day. The council had been able to access their website and social media accounts and provided a transparent statement to the public on what they knew so far.

Thursday, 5 September

On Thursday, 5 September, a media briefing was held, led by the Chief Executive and a dedicated customer services support function was established. The council prioritised transparency, balancing public communication with NCSC guidance to avoid revealing sensitive details. A live FAQ section was created on the council’s website, and officers were redeployed to a centralised support team. The LRF also supported the council by helping to share their messaging. The AI-driven contact centre system enabled rapid updates through messaging and call routing.

Friday, 6 September

By Friday 6 September, investigations continued into the five accounts with support from a neighbouring council and the onboarding of a Cyber Incident Response

(CIR) partner from the insurer. Further investigation of 365 activity found a bug in the 365 admin interface and therefore no evidence of data leaving the organisation, though systems remained offline and user accounts locked. The team continued to work over the weekend to continue investigations.

Sunday, 8 September

On Sunday, 8 September, with support from Stroud District Council, the cause of the incident was believed to have been discovered, but independent confirmation from the cyber insurers was required.

Tuesday, 10 September - moving into the recovery phase

On 10 September, the findings by the IT and Stroud colleagues were independently confirmed by both the cyber insurer’s CIR partner and the NCSC. This moved the incident formally into recovery phase. Simultaneously, council officers were redeployed across the borough into a centralised Customer Services support team to respond to residents’ needs during the incident.

Wednesday, 11 September

The Recovery Co-ordination Group (RCG) stood up, and the following recovery cells within it: Communications, Cyber Technical Advisory Cell (CTAC), Resources and Corporate, Customer, Democratic and Governance, Operational, Staff Welfare, Finance and Legal, Secretariat and Vulnerable.

The objectives of the RCG were to:

• Protect vulnerable residents
• Ensure staff welfare
• Recover critical services
• Meet statutory requirements
• Restore systems with enhanced security
• Re-engage with the community and partners
• Return to business as usual.

Monday, 16 September

Cyber insurers confirmed the result of the internal investigation, and the roll-out of staff laptops and phones began. Owing to the media attention the incident had generated, there was significant concern that the council might become a larger target for cyber security threats. Therefore, all work devices (laptops and mobile phones) were refreshed before rolling back out to officers. This was completed using a phased approach, with frontline teams who support the council’s most vulnerable residents receiving their laptops first. Security policies were also reviewed with additional hardening to ensure devices were ready for teams to stand back up securely.

In total, over 200 laptops and 50 mobile phones were replaced. The rollout of new laptops was budgeted for before the incident through the council’s capital programme but was accelerated because of the incident.

Tuesday, 17 September

Services across the council were asked to complete impact assessments to anticipate what the likely service backlogs would look like.

Friday, 20 September

The security team was working to ensure all systems recovered and were restored, meeting required security standards. At this stage, housing systems and team were up and running, and therefore the focus was on bringing the remaining services back online. Systems were reinstated using a phased approach, focusing on the systems that were necessary to support the borough’s most vulnerable residents.

To ensure systems and teams were brought back online safely, 24/7 monitoring was set up to ensure the council was able to respond and remediate any threats immediately during recovery.

Thursday, 26 September

Throughout recovery, staff and member briefings were held to provide updates and reassurance that support would be available to work through backlogs.

Friday, 27 September

Thank you letters were sent to all key partners who had supported the response and recovery efforts at the council.

Monday, 30 September

The RCG stood down, and the teams moved into business as usual.

Tewkesbury Borough Council is situated in Gloucestershire in the south-west of England. The borough council serves a population of 90,000 people from 41,000 households across 160 square miles.

The council has an in-house ICT function, led by an Associate Director of IT, Cyber and Digital. The function is made of one IT Support Manager, one vacant Networks and Cyber Manager post (at the time covered by a contractor).

At the time of the incident, the IT function was made up of Associate Director for IT, Cyber and Digital, as well as two network and cyber engineers and a junior technician. A few network engineers from Stroud District Council also supported the team to investigate the incident.

The council is used to engaging with emergency and disaster recovery planning due to the borough’s susceptibility to flooding events. Therefore, each of the council’s services had their own business continuity plans, and they were used to standing up SCGs, RCGs, and delivering effective crisis communications.

At the time of the incident, the Council was developing a Cyber Incident Playbook, but unfortunately this had not been completed and approved. Therefore, there was not an Incident Response Plan or playbook in place for the council to use when the incident occurred.

This made accessing some business continuity plans (BCP), staff and key contact details for staff and partner organisations initially difficult compared to previous incidents (i.e. flooding) the council had experienced. This was because much of this information was accessible on digital systems, which had been switched off the afternoon the incident had been identified. Additionally, the BCPs were of varying quality across the organisation, due to capacity and capability of different managers and recent organisational change.

Some of the BCPs were uploaded onto Resilience Direct, which were accessible once safe laptops were secured. It was further advantageous that the council had a standalone, non-networked printer which they could use whilst systems were switched off.

Although the council was not fully prepared for the cyber incident, officers quickly fostered a strong sense of community and collaboration, working together to resolve the issue and prioritise the protection of vulnerable residents.

On the day the incident was discovered, all the council’s IT systems were taken offline. At this point, the council compiled a list of all statutory reporting requirements across the organisation in case systems were down for a longer period of time.

Delivering internal communication across the council was initially quite difficult because managers did not consistently have access to their team’s personal numbers, many of which were stored digitally. This meant establishing WhatsApp groups to disseminate messages and updates took some time.

Messaging to staff was designed to let them know what was happening, in as far as possible, so they had some level of understanding of the situation. However, this had to be balanced against the council’s wider communications strategy which needed to ensure that it did not release any information that might compromise the ongoing investigation or risk the council becoming at larger risk from cyber security threats. Updates were also sent to councillors so that they were kept abreast of what was happening.

When the council notified partner organisations of the incident, some immediately cut off electronic communications. In most cases, these were restored once the council was able to show it had contained the incident, and the openness in highlighting the problem, regular notifying and updating partners was crucial in building trust.

A statement was published by the council on its website upon discovery of the incident to alert residents to the service disruption. This was updated as and when services came back on stream and included reassurance that benefit payments were still being made, once a workaround was in place. Communications to the public were carefully written to avoid causing anxiety.

Through its empathetic transparent and regular crisis communication updates (to staff, partners and the media) the council received much positive sentiment throughout the incident. Videos of the Chief Executive on social media, with the backdrop of officers working hard to respond to the incident, were released two-three times a week and were particularly well received and appreciated by the community.

The council fortunately had a qualified loggist (trained and approved by their Local Resilience Forum, LRF) part of the SCG, so could immediately begin logging decisions and events when the incident was declared.

The council’s revenue and benefits system were significantly impacted. Officers could not access their core system, which impacted how to pay residents and how to collect council tax. To mitigate this, the team manually re-run the previous month’s payments. This was the same process the payroll team had to follow due to their system being unavailable.

For services that had to be delivered manually due to the incident, information security and governance was of upmost importance to officers. Officers were provided with guidance on how to responsibly and safely use and physical store data (e.g. if written down).

A temporary contact centre was set up to answer urgent queries, and the revenue and benefits team was moved into this team. It was felt that if Local Government Reorganisation (LGR) was not impacting the council, there would be the ambition to continue this and establish the council’s own Corporate Contact Centre.

The council’s housing system is shared with other neighbouring councils and hosted on the cloud. This meant that as soon as the team was able to get hold of a clean laptop, they were able to access it. The team encountered a challenge when their account had multi-factor authentication (MFA) enabled, and they did not have the device to log in. This delayed access to the system until they were able to have a safe email-address for login, which generously was provided by the counter-fraud team who also shared the council’s offices block in Tewkesbury.

The county council lent clean laptops to Tewkesbury colleagues too, to use immediately whilst the IT team ordered and rolled out the council’s new set of laptops.

Fortunately, the AI-driven contact centre system allowed for changes to messaging and call routing to be made quickly and easily, giving residents and businesses the latest information and ensuring they were speaking to the right team members. Additionally, the customer telephone and request form systems were cloud-based, and the cell lead for Customer was able to source a clean laptop the night the incident was declared, so there was not much disruption to the council’s customer contact line. Due to the council’s proactive messaging and external communication of the incident, far fewer contact inquiries were made than the Council were expecting. The council prioritised homelessness and benefit queries over general service provision during the incident response and recovery period.

The cell for Vulnerable People was co-created with the county councils to help identify vulnerable residents.

Overall, staff appeared to cope well throughout the incident, pulling together to ensure that services to residents were not affected. Community Hubs were set up so that for the many staff who couldn’t fulfil their role could volunteer in the community (e.g. by litter picking), speak to residents and provide support for communities.

The Community Hubs established enabled residents and communities to connect with council officers in new ways, and foster positive cohesion between them in the crisis. This face-to-face contact and council presence in the community also helped to spread the latest updates and community messaging about the incident.

In the recovery phase, some officers from the Operational Cell were seconded to support with the laptop refresh, to support the rapid roll-out of new laptops. The operational cell eventually merged with the recovery cell to further support with the inventorying and ordering of new laptops.

Once the cause of the incident was independently confirmed by NCSC and the cyber insurers, the incident was then able to move into focusing on recovery.

The RCG was stood up with nine different cells to support the safe recovery of systems. The safe restoration of systems was prioritised, focusing on systems that supported the borough’s most vulnerable residents. The RCG led the prioritisation of systems to be recovered. There was a pre-existing prioritisation list that the council had previously created, but it was yet to be tested.

The list worked relatively well, but there were interdependencies between systems and with partner organisations which made this challenging. For example, some systems needed to be recovered simultaneously because of the interdependencies between them, and on the other hand, other systems were re-prioritised because of the impact they had on partners – the council’s shared legal system, for example. Additionally, some bespoke computing setups hadn’t been pre-configured, which caused delays or required additional workarounds for recovery.

Before systems were brought back online, the IT team conducted a thorough review of servers, firewall rules and laptops. To support this, 24/7 monitoring was set up, with three contractors rotating in shifts to monitor the council’s Security Information and Event Management (SIEM) tool. Additionally, Web Application Firewall (WAF) was implemented using Cloudflare to add an extra layer of protection, and strict access rules were applied.

The recovery effort was firstly focused on restoring the operating systems and server-level infrastructure safely, treating applications as secondary unless they were externally facing and required WAF protection.

The revenue and benefits system was one of the first systems to be safely restored. The council’s Housing system for example was cloud-hosted and shared with other councils, so did not need to be safely reconfigured.

Support with the recovery process was received from numerous organisations including the NCSC, Southwest Regional Organised Crime Unit (WROCU), council’s cyber insurers, Stroud District Council, and Gloucester County Council. The council also said they used some of the learnings from the cyber incident that hit their neighbouring council, Gloucester City Council, in December 2021.

The total cost of the incident was £289,625.28, and is broken down in table 1 below:

The council had already approved capital budget for new laptops, so this cost above does not inform the cost implications of the procurement of new laptops.

The cyber insurance policy the council had in place to cover significant costs during a cyber incident didn’t hit the £50k threshold and therefore they were not compensated for the costs incurred during the incident. Each area the insurance covers would have needed to exceed this excess before the insurance would reimburse.

While the council was able to quickly respond to and recover from the incident, it has used it to identify areas for improvement, nonetheless.

Table 2 shows the key learning and actions taken grouped by theme.

Tewkesbury Borough Council’s experience with the cyber incident in September 2024 offers valuable insights into the importance of preparedness, communication, and resilience in the face of cyber threats. Although the incident was ultimately benign, the council’s swift and decisive response demonstrated a strong commitment to safeguarding its systems, data, and residents. The activation of emergency protocols, honest and transparent engagement with partners and the public, and the rapid mobilisation of internal teams helped to contain the situation and maintain public trust.

The incident exposed several areas for improvement, including gaps in cyber insurance understanding, inconsistent use of monitoring tools, and limitations in IT infrastructure and business continuity planning. In response, the council has taken proactive steps to strengthen its cyber resilience - developing a Cyber Incident Response Plan, improving access to continuity resources, and enhancing staff training.

This incident has served as a catalyst for meaningful change. By learning from the experience and implementing targeted actions, Tewkesbury Borough Council is better equipped to respond to future incidents and continue delivering essential services securely.