Attack on Scottish environment watchdog happened on Christmas Eve

The Scottish Environment Protection Agency has said it “will not engage with criminals intent on disrupting public services and extorting public funds”, as it continues to deal with a ransomware attack that has been ongoing since Christmas Eve.

Some of the information stolen from the environmental regulator has now been published online, but Police Scotland is warning individuals and organisations not to search for it, as accessing the host site may place their computer infrastructure at risk.

SEPA previously confirmed the theft of around 1.2GB of data, which the agency points out is the equivalent to a fraction of the contents of an average laptop hard drive, but it still means that at least 4,000 files may have been stolen by criminals.

This includes business and staff information, some of it already publicly available and some of it internal. But although work is under way to analyse the data set, the agency says it does not yet know, and may never know, the full details of the information stolen.   

It confirmed that staff had been contacted based on the information available, and were being supported, and that a dedicated data loss support website, Police Scotland guidance, enquiry form and support line was available for regulated business and supply chain partners.

Related content

• ‘Cyberattackers are doing the same things over and over – and too often getting through’
• How secure is government and should we have a right to know?
• DHSC signs £2m six-month deal to improve ability to ‘respond to recover from a cyberattack’

SEPA chief executive, Terry A’Hearn said: “Supported by Scottish Government, Police Scotland and the National Cyber Security Centre, we continue to respond to what remains a significant and sophisticated cyberattack and a serious crime against SEPA. We’ve been clear that we won’t use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds. 

He added: “We have made our legal obligations and duty of care on the sensitive handling of data a high priority and, following Police Scotland advice, are confirming that data stolen has been illegally published online. We’re working quickly with multi-agency partners to recover and analyse data then, as identifications are confirmed, contact and support affected organisations and individuals.”

SEPA’s priority regulatory, monitoring, flood forecasting and warning services are continuing to operate and it will give a broader update on service delivery and recovery this week.

Detective Inspector Michael McCullagh of Police Scotland’s Cybercrime Investigations Unit said: “This remains an ongoing investigation. Police Scotland are working closely with SEPA and our partners at Scottish Government and the wider UK law enforcement community to investigate and provide support in response to this incident. Enquiries remain at an early stage and continue to progress including deployment of specialist cybercrime resources to support this response. It would be inappropriate to provide more specific detail of investigations at this time.”

Jude McCorry, chief executive of the Scottish Business Resilience Centre, said: “There are many ways including ransomware a business can experience a cyber security incident, with varying levels of complexity and disruption. Cyber incidents can occur through deliberate targeting like we have seen with SEPA, or even human error, the end result is the same, a disruptive effect on business operations.  At SBRC we are working in partnership with Police Scotland and Scottish government running the UK’s first collaborative cyber incident response helpline for organisations in Scotland.