The full financial impact of a cyber-attack on Scotland's environmental agency is still not clear, and the incident remains a warning to other public sector bodies.
The Scottish Environment Protection Agency (SEPA) suffered a sophisticated ransomware attack on 24 December 2020. The majority of its data was encrypted, stolen or deleted overnight - despite subsequent reviews finding that SEPA's cyber defences were good. Investigations have yet to determine the original source of the attack but a phishing email, and human error, is suspected.
The ransom was not paid and SEPA was able to keep delivering its key services, such as flood warnings, within 24hrs of the attack. But more than twelve months on, it is still rebuilding its digital infrastructure.
Accounting records had to be recreated from bank statements and HMRC records, leaving auditors unable to fully examine SEPA's finances, including £42 million of contract income. SEPA’s management is also still trying to understand the full financial impact of the cyber-attack, which has speeded up the building, or buying, of new systems and infrastructure. The senior team is also addressing recommendations for further improvement made in independent reviews of the incident.
Stephen Boyle, Auditor General for Scotland, said:
This incident highlights how no organisation can fully defend itself against the threat of today's sophisticated cyber-attacks. But it’s crucial that organisations are as well-prepared as possible.
SEPA was in a solid starting position but it will continue to feel the consequences of this attack for a while to come. Everyone in the public sector can, and should, learn from their experience.