A cyber attack targeting Angus Council last year cost £25,000 to remedy, The Ferret can reveal.
The incident was one of two cyber attacks the local authority suffered in 2021, a reply to a freedom of information (FOI) request has revealed.
We sent FOI requests to each of Scotland’s 32 local authorities and found there had been six major cyber attacks targeting councils since 2017. Falkirk Council suffered two cyber attacks while both Stirling Council and Inverclyde Council were the victims of one.
The Scottish Business Resilience Centre (SBRC) — a not-for-profit organisation focused on cyber security — said nearly 40 per cent of incidents now target the public sector and that attacks can cost the taxpayer significant sums.
Angus Council told The Ferret that after one of the incidents in 2021 it spent “approximately £25k on a security improvement programme and consultancy to support a better understanding”,
“The security improvement programme involved implementing further technical, process and user related controls,” a council spokesperson added.
Inverclyde Council said it was the target of a cyber attack in 2018 but did not disclose how much the incident cost.
Since January 2017 Falkirk Council has suffered two cyber attacks but the council said it did not hold information on any costs to the taxpayer.
Stirling Council was the subject of a cyber attack this year but details of costs were not held. Its FOI reply added: “By way of explanation the cyber attack was identified and dealt with by officers and there were no costs beyond officer time expended in dealing with the matter.”
It is also no longer enough for only a few to be responsible for the IT security of an organisation – every employee must be cyber aware.
Jude McCorry, Scottish Business Resilience Centre
West Dunbartonshire Council refused to say whether it had been the target of an attack, arguing to do so would be “prejudice to effective conduct of public affairs”.
Its FOI reply said: “It is our view that by releasing this information, we would compromise the integrity and security of our IT systems. We do not believe that this is in the public interest and are therefore refusing this question.”
A cyber attack on the Scottish Environmental Protection Agency (SEPA) in 2020 cost at least £5.5m, as reported by The Ferret in April. The attack against Sepa’s computers was launched on Christmas Eve 2020 by an international criminal gang known as Conti.
The criminals demanded a ransom, which Sepa refused to pay. It later revealed that £353,000 had to be spent on getting crucial warning and communications systems — such as the national flood warning system — back up and running.
Jude McCorry, CEO at the Scottish Business Resilience Centre, said cyber attacks “often come at a very high cost, especially for the public purse”, pointing out that last week it emerged that the ongoing cost of a cyber attack on the Irish Health Service Executive has already hit close to €80m.
McCorry added: “According to the National Cyber Security Centre, nearly 40 per cent of cyber incidents are attacks on the public sector. While that means the majority of attacks are not on the public sector, no organisation can afford to be complacent. It is also no longer enough for only a few to be responsible for the IT security of an organisation – every employee must be cyber aware.
In October The Ferret revealed that Scottish local authorities had recorded more than 10,000 data breaches over the last five years.
Incidents included the unauthorised access of data by staff, stolen data, procedural failures, theft of hardware, personal data put on websites, and the disclosure of personal information to third parties.
We also revealed that Police Scotland was informed of data breaches at least 12 times and 47 people faced internal disciplinary sanctions.
Cover image thanks to Sergey Shulgin / iStock
