On Christmas Eve 2020, SEPA was the victim of a serious cyber-attack orchestrated by an “international criminal gang” who stole around 1.2GB of data.
The gang demanded a ransom which the environmental regulator refused to pay (see letsrecycle.com story).
Jo Green, SEPA’s acting chief executive, said a series of independent reviews, including by Audit Scotland, “were clear both on the level of threat to Scottish organisations and that SEPA is not a poorly protected organisation.”
“Whilst recovery is challenging and complex, we’re making strong progress,” she said. “We moved quickly to prioritise service delivery and continue to work to a clear plan for the medium-term restoration of all our services.”
Ms Green said SEPA had recovered 80% of the data illegally encrypted by criminals, published two “significant” compliance and reporting datasets, and was working on its next steps.
She added: “We’ve confirmed the detailed cost of the cyber-attack as £4.4m, with £1.1m investment brought forward from future years.”
Cyber-attack
In February 2022, Audit Scotland published an audit of SEPA for 2020/21, stating that the environmental regulator was in a “solid starting position” but “this incident highlights how no organisation can fully defend itself against the threat of today’s sophisticated cyber-attacks” (see letsrecycle.com story).
SEPA says the Scottish Government released figures in March 2022 which show that cyber-attacks in Scotland rose by more than 700% in the last year.
SEPA, which commissioned independent reviews into its readiness, resilience, response, and recovery, said it was grateful for the support of the Scottish Government, Police Scotland, the National Cyber Response Centre, and the Scottish Business Resilience Centre.
In October 2021, the environmental regulator published the findings of the reviews, which identified a series of recommendations for the public sector and 44 ‘learnings’ for SEPA (see letsrecycle.com story).
The recommendations included 24-hour security operations, implementing a Cyber Incident Response (CIR) specialist company, and regular reviews of an incident response plan.
SEPA said it accepted all the learnings and had implemented 35 to date. It added it was making “good progress” on the remaining nine.
Subscribe for free