Civica dumps malware-hit Gloucester council at altar

Council denies Civica's withdrawal is related to December cyber-attack.

Crisis-hit Gloucester City Council has seen its IT plans thrown into chaos after Civica pulled out of late-stage contract negotiations.

The council was in “advanced” discussions with Civica for a new managed services contract, with most elements agreed “in principles” by January this year. But in February Civica “unexpectedly withdrew from the process following an internal review” according to a council cabinet report released this week.

Civica is also Gloucester City Council’s (GCC) current IT provider, through an outsourced model dating from 2014. The new contract would have seen the council move to a managed services contract with a different division of Civica, a council spokesperson told The Stack.

The current Civica contract was due to expire on 30 April, but GCC has extended the arrangement for up to 18 months, with a three-month exit clause as it scrambles to revisit alternatives including a previously dismissed proposal to bring IT services back in house or to share them with another council.

A tender document puts the maximum cost of the contract extension at £1.6m.

The timing could not be worse for Gloucester, as the council is still struggling to recover from a cyber-attack in December 2021 which crippled most of its IT systems. The council said Civica’s withdrawal from negotiations “does not relate” to the cyber-attack. It will discuss its options at a May 4 Cabinet meeting.

The Stack asked Civica earlier this week why it abruptly withdrew from negotiations with GCC, but had not received a response at time of publication.

Civica in unprecedented withdrawal

The GCC spokesperson said there wasn’t a precedent for a supplier pulling out of negotiations at such a late stage. The cabinet report makes clear how surprising Civica’s move is.

“By January 2022, a compliant framework had been selected and negotiations were at an advanced stage to enter into a new arrangement with Civica UK Ltd; the service descriptions, annexes, and terms and conditions had been reviewed and agreed in principles by both parties,” said the report.

“In February 2022, Civica unexpectedly withdrew from the process following an internal review, leaving future arrangements for Gloucester City Council’s ICT service uncertain. Civica have indicated that they are willing to extend the existing ITO arrangement while we find an alternative option.”

The report also suggests the council has soured not just on Civica, but the whole idea of outsourced ICT services.

“Since Civica withdrew from entering into a new arrangement with the Council, it has become increasingly clear that the advantages of remaining in a relationship with Civica for core ICT services are no longer there; there is clear movement away from IT outsourcing and a pivot towards software services,” the report said.

It noted Civica’s services will mostly be provided by the firm’s local team assigned exclusively to Gloucester, and third-line support “will increasingly rely on third parties”. This will increase costs, and may cause resource issues and erode expertise over time, the report suggested.

“Therefore, it is recommended to move to an in-house solution at the earliest opportunity whilst we continue to assess the best way to provision ICT services in the long term,” the report concluded.

Gloucester cyber-attack fallout continues

While the council has denied any link between its cyber-attack in December and Civica’s withdrawal, the timing is extraordinary. It is also unclear to what extent Civica is responsible for restoring the affected IT systems – Civica failed to respond to The Stack’s queries by time of publication, and GCC declined to provide any further information beyond its status page.

The incident saw the council’s IT systems hit with “sleeper” malware on 20 December, allegedly placed by a Russian group, via an attachment in an email sent to a council officer. After more than four months most of the council’s IT systems remain down, leaving residents and even house-buyers unable to access vital services.

The council has chosen to scrap and rebuild all 10 of its on-prem servers, “based on the information provided by the National Cyber Security Centre” according to a written answer from council deputy leader Hannah Norman in late March.

Norman also said the council is replacing all of its laptops. So far the cyber-attack has cost GCC at least £380,000 – opposition councillors claim the costs could run into the millions of pounds.

GCC chose not to take out insurance to cover cyber-attacks on the advice of insurance brokers and auditors, according to Norman, speaking in a council meeting this month. The council had previously been hacked by Anonymous, which leaked 30,000 council emails in 2014, following which the ICO fined GCC £100,000.

“The problems the city council has been having with its ICT services since the December cyber-attack, has been very serious. It has severely damaged frontline services. I have asked another set of questions related to ICT services, based on the cabinet ICT options report that has just published,” said opposition councillor Jeremy Hilton in a statement to The Stack.

Do you know why Civica pulled out? Have any further insight into the consequences of the ransomware incident? The Stack's team would like to hear from you. You can reach us by email or Signal.

Follow The Stack on LinkedIn