Information on thousands of environmental checks and pollution breaches over 15 months has been permanently lost because of a cyber attack, according to the Scottish Government’s green watchdog.
The Scottish Environment Protection Agency (Sepa) has admitted that it cannot recover information from its national monitoring, compliance and enforcement databases in 2019 and 2020 because “information no longer exists”.
Sepa also disclosed that data on inspections and enforcement actions against polluters had been lost from staff computers.
Campaigners warned that Scotland’s environment is now suffering because Sepa is “completely gutted, destroyed and incapable of functioning”. They have called for Scottish ministers to take action to ensure the environment is protected.
One former Sepa boss described the lost databases as a “disaster”, suggesting that “chancers and criminals” could have been given “a free pass”. Large parts of Sepa’s work had been “undoubtedly crippled”, said an expert.
Sepa stressed that recovering from organised cyber crime was “challenging and complex”. It said it was “confident that we’ll recover the most important environmental data”.
The revelations come in the wake of a report by Audit Scotland on 1 February saying that the cyber attack meant £42 million of Sepa’s income couldn’t be verified. Sepa also had to write off £2 million in fees due to lost records.
The attack against Sepa’s computers was launched on Christmas Eve 2020 by an international criminal gang known as Conti, which has reportedly attacked more than 400 organisations worldwide. It demanded a ransom, which Sepa refused to pay.
“The majority of Sepa’s data was encrypted, stolen or lost,” concluded Audit Scotland. “The sophisticated nature of the attack meant that online backups were targeted and corrupted at an early stage.”
The extent of the damage done to Sepa’s environmental information systems has been revealed in a report seen by The Ferret. It was released by Sepa in January in response to a request under freedom of information (FoI) law.
The report said that Sepa had been unable to retrieve information from three of its major databases between October 2019 and December 2020. These were the national environmental monitoring system, the compliance assessment scheme and the enforcement tracking database.
Together these contained many thousands of measurements of air, water and land pollution across Scotland, as well as details of pollution breaches at hundreds of industrial sites. They included data on the contamination of rivers, lochs and bathing waters.
The lost databases would also have had unknown numbers of records of pollution incidents and of enforcement actions taken against polluters. “Information no longer exists due to circumstances outside Sepa control,” said Sepa’s FoI response.
“Although this information was held at the time of the request (18 November 2020), it is no longer held and Sepa cannot provide it.” Sepa was able to recover and provide information from the databases from before October 2019.
According to Sepa, the “U-drives” from staff’s individual computers, which contained information on inspections and enforcement actions against polluters, were also unrecoverable. Sepa employs 1,268 people.
In addition Sepa has been unable to access printed records in its office in Fort William because “the effects of water ingress in March 2021 renders it inaccessible at this time”.
Sepa has so far failed to publish any results from its compliance assessment scheme for 2019, 2020 or 2021. This previously reported on the environmental performances of over 5,000 sites every year, including factories, waste plants, fish and land farms.
The Scottish Pollution Release Inventory has also disappeared from Sepa’s website. It was meant to provide detailed information on emissions to air and water of some 80 pollutants from more than a thousand sites, including big climate polluters.
The Ferret reported in May 2021 that Sepa was struggling to process thousands of pollution permits, planning applications and waste licences. It had not been able to receive air and water pollution returns from companies, handle reservoir and other registrations, nor provide information on the past state of Scotland’s rivers.
Sepa admitted at the time that its systems had been “badly affected” and there “may be a risk” to the environment if it failed to quickly restore services.
Sepa’s report on database losses was obtained by the fish farming campaigner, Corin Smith. He asked for details of inspections and enforcement actions at some of Scotland’s 200 plus salmon farms.
Because Sepa had lost records since October 2019 some salmon farmers could escape enforcement action, he argued. “This will undoubtedly result in chemicals and salmon feedlot sewage going into our seas unchecked and damage being done,” he said.
“We have a national environmental protection agency, which by its own lack of competency and preparedness, finds itself completely gutted, destroyed and incapable of functioning.”
Smith attacked the Scottish Government for being “two-faced” on environmental protection, and demanded action from ministers. “By any reasonable assessment, Sepa is now an environmental protection agency in name only,” he added.
Professor Campbell Gemmell, who was chief executive of Sepa from from 2003 to 2012, characterised the lost databases as a “disaster” and a “shambles” that made him “angry and sad”. The cyber attack was “despicable and criminal” but the failures that allowed it to occur were “systemic”, he argued.
“It’s hard to see how the agency can do its job or indeed recover its reputation from this position. It seems like time to stop and start again,” Gemmell told The Ferret.
“I hope, despite a focus on centralised electronic systems, that some had the wisdom to keep paper records. Otherwise, too many careless operators as well as the chancers and criminals out there have simply been given a free pass.”
According to Professor Andrew Watterson, an expert on environmental regulation from the University of Stirling, it was “a matter of profound concern” that so much information had been lost. “This has undoubtedly crippled large parts of Sepa’s work,” he said.
“It must make it impossible for the agency itself to function effectively and, also very important, for those outwith Sepa to find out how, for example, fish farm companies have been complying with environmental regulations and inspections.”
Friends of the Earth Scotland described the cyber attack as “devastating” and called for “lessons to be learned” across the public sector. “Data which might have resulted in action against polluting companies is gone forever,” said the environmental group’s director, Dr Richard Dixon.
“It is a virtual certainty that the Scottish environment is in a worse state today because of the cyber attack, and this will be as frustrating for Sepa staff as it is for groups like ours.”
The Scottish Environment Protection Agency accepted that it hadn’t been able to recover all “significant” data. “We remain confident that we’ll recover the most important environmental data, with good progress being made on significant data sets,” said acting chief executive, Jo Green.
“We’re not rebuilding what we had. We’re building better, more accessible systems for the future which allow direct public interrogation of more of the information we hold.”
Green stressed that Sepa had been able to reinstate many of its vital services. “Make no mistake, recovering from serious and significant internationally organised cyber-crime is challenging and complex,” she added.
“Audit Scotland made clear that no organisation can fully defend itself against the threat of today’s sophisticated cyber attacks and that Sepa was on a solid starting position. This reflected the findings of a series of independent audits commissioned and published by Sepa to share our learnings widely.”
Green agreed with the auditor that “recovery will take time”. But she argued that across the 14 months since the attack had taken place Sepa was “recovering”.
She continued: “We’ve been open and transparent about our readiness, resilience, response and recovery, publishing clear service status updates. Whilst we know there’s more to do, it’s important to recognise that colleagues working across Scotland have achieved a lot.”
Green has replaced Sepa’s former chief executive, Terry A’Hearn, who resigned suddenly on 21 January after unspecified “conduct allegations”.
The Scottish Government said it was working closely with Sepa to mitigate risks. “It is deeply regrettable that information was lost as a result of the cyber attack, which caused considerable disruption,” a spokesperson added.
“Sepa has worked hard to recover and to make sure the impact on their services was minimised. This includes vital work on flood avoidance, protection and warning services, helping Scotland respond to serious storms, and tackling serious and organised waste crime.”