The Scottish Government’s green watchdog has lost £2.5 million income from industry permits and inspections following a debilitating cyber attack, according to documents obtained by The Ferret.
Ministerial briefings released under freedom of information law also revealed that the Scottish Environment Protection Agency (Sepa) was likely to suffer “significant reputational damage” as a result of the attack.
Officials said the impact on Sepa’s systems was “at the most serious end of the spectrum”. Sepa’s former boss described it as a “shambles” and a “failure of oversight”, while campaigners condemned the cyber criminals as “despicable”.
Sepa stressed that it was working to recover from a “complex and sophisticated” attack. It had commissioned an “independent audit” to learn lessons for the future.
The attack against Sepa’s computers was launched at one minute past midnight on Christmas Eve 2020, reportedly by an international criminal gang known as Conti. It demanded a large ransom, amount unknown, to restore access to Sepa’s data.
Sepa refused to pay, its communications were wrecked and over 4,000 stolen files stolen were published on the dark web. Up to April Sepa spent £800,000 responding to the attack, and it could take until 2023 to recover.
The Ferret reported on 16 May 2021 that Sepa was still struggling to process thousands of pollution permits, planning applications and waste licences. The agency’s chief executive, Terry A’Hearn, accepted that there “may be a risk” to the environment if services weren’t quickly restored.
One document just released by the Scottish Government is a briefing on 23 March 2021 for the then environment minister, Roseanna Cunningham. “Sepa is now forecasting a resource overspend of £2.5m for 2020-21,” it said.
“The majority of this arises from a shortfall in charging income, partly as a result of processing fewer applications and partly because it cannot currently access detailed information on outstanding payments due from existing licence holders.”
Sepa charges thousands of companies to recoup the cost of issuing or altering pollution permits, carrying out inspections or providing other services that help protect the environment.
The briefing disclosed that preparations were being made to help bail Sepa out. “The Scottish Government will manage the funding associated with this additional expenditure centrally, giving authorisation to Sepa to incur an overspend against the approved 2020-21 resource budget allocation,” it said.
According to the briefing, the backlog of planning applications to be considered by Sepa was “estimated at 1,200” in March 2021. “Media attention has generally been low,” it said.
Another briefing to ministers on 7 January 2021, two weeks after the cyber attack, highlighted how much damage had been done. “The impact on Sepa’s systems is at the most serious end of the spectrum,” it said. “Most of Sepa’s core systems are unavailable.”
The briefing reported that “many of Sepa’s core regulatory functions are severely impacted”. The agency was “assessing whether temporary relaxations of some regulatory requirements will be needed to manage the situation,” it said.
“Sepa is also specifically assessing risks around opportunities for environmental crime arising from their reduced capability and drawing up plans to address this.”
The briefing warned of other risks relating to intellectual property, commercial information and prosecutions of polluters. “There is also likely to be significant reputational damage arising from this incident – principally for Sepa but questions are also likely to be asked of Scottish Government,” it added.
Sepa’s former chief executive, professor Campbell Gemmell, described the situation as a “mess”. Sepa may not be able to tell which companies have paid, and which have not, he suggested.
“The public purse, i.e. the taxpayer, is picking up the tab for this. Albeit much of this was caused by a dreadful criminal attack on a public service,” Gemmell added.
“The whole shambles and the failure of oversight involved needs a thorough examination. The organisation seems to be flying blind, and a return to normal seems a long way off.”
Friends of the Earth Scotland welcomed government support for Sepa.“The decision to refuse to pay the ransom was definitely the right one, but there are major consequences which flow from it including this large bill for getting things back on track,” said the environmental group’s director, Dr Richard Dixon.
“The more you learn of the disruption that this cyber attack has caused the more despicable you feel are the criminals who perpetrated it.”
Another government document reporting a meeting between Cunningham and senior Sepa officials on 20 January 2021 noted that media coverage of the cyber attack had “generally been favourable”. But it added that there had been “some negativity” from The Ferret.
The Scottish Environment Protection Agency pointed out that the briefings were “snapshots in time”. The overspend for 2020/21 was also caused by the impact of the pandemic on industry, it said.
The estimated 1,200 backlog in planning applications was based on previous years’ activity. “Working closely with all planning authorities we triaged and prioritised the backlog down to approximately 400, and we have largely cleared that backlog,” Sepa said.
Chief executive, Terry A’Hearn, said: “Sepa is working to a clear recovery strategy in response to a complex and sophisticated cyber attack. We were clear that we would not use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds.
“In 2021 regulatory teams have deployed around 850 times, we’ve issued almost 2,500 authorisations and completed or are progressing around 400 planning cases to support Scotland’s recovery.”
A’Hearn argued that cyber crime was an increasing challenge and that service recovery took time. “We have commissioned an independent audit,” he said.
“Once complete, we’ll share the learnings widely so that we and all others with an interest can benefit from our experience in preparedness, response and recovery.”
The Scottish Government confirmed that Sepa was forecasting a £2.5 million overspend for 2020-21. The financial impact on 2021-22 was said to be “not fully understood at this stage”.
A government spokesperson added: “Sepa has increased resource to respond to customer enquiries, with customer enquiry backlogs, in areas such as environmental incident and permitting, being cleared.
“Sepa has reported that since January over 1,650 industrial pollution prevention and control, water environment, waste and other authorisations have been issued.”
This story was edited at 18.50 on 16 June 2021 to add comments from the Scottish Environment Protection Agency, and again at 20.00 to include comments from the Scottish Government.
Cover image thanks to the Scottish Environment Protection Agency.