A gang demanded an £800,000 Bitcoin ransom in a cyber attack on a firm owned by Kent County Council, and leaked its data on the dark web.
Kent Commercial Services (KCS) delivers services and supplies to public authorities, including protective equipment during the Covid-19 crisis.
No ransom was paid and no personal data relating to taxpayers was stolen, KCS said.
The Information Commissioner said KCS had been given data protection advice.
KCS chief executive John Burr said: "The timing of this attack is particularly malicious and challenging given the current Covid-19 pandemic."
The Local Democracy Reporting Service was told the attack bore "the hallmarks of starting with a phishing email that was used to introduce a virus that then compromised the network".
The hackers encrypted the firm's systems and data and demanded payment to release and repair them on 2 April.
Stolen data that went on the dark web contained business and corporate information relating to business activities of KCS, based in Aylesford.
It took the company over four weeks to get the majority of systems back online with additional security, with remaining systems going live in the next two weeks.
The firm, which has an annual revenue of about £350m, is owned by the council but operates independently.
A spokesman for the Information Commissioner's Office said: "We were made aware of this incident and looked into the details. We provided data protection advice to the organisation and concluded no further action was necessary at this time."