Cost of Sepa cyber attack doubles to £5.5m

The Scottish Environment Protection Agency (Sepa) has revealed that the cost to taxpayers of a cyber attack that paralysed the organisation in 2020 has risen to at least £5.5 million.

The attack against Sepa’s computers was launched on Christmas Eve 2020 by an international criminal gang known as Conti. It demanded a ransom, which Sepa refused to pay.

In June 2021 we reported that Sepa estimated the hack would cost taxpayers £2.5m.

But new documents released by Sepa show that the final bill has more than doubled. They give a breakdown of the costs and full details of crucial environmental data that remains lost, more than a year after the attack.

The breakdown shows that the organisation’s internal systems and networks had to be rebuilt from scratch. More than £1.1m was split between seven private firms who assisted with “systems recovery and rebuild”. Nearly half a million pounds was spent on digital forensic and recovery services to try to investigate the hack.

£353,000 had to be spent on getting crucial warning and communications systems — such as the national flood warning system — back up and running.

The agency also spent £280,000 on external communications and social media firms under the budget heading of “sharing our learnings widely.”

Officials now estimate the agency lost more than £1.3m in missing income as a consequence of the attack.

Although Sepa insists that 80 per cent of the data encrypted by the hackers has been recovered, there is still crucial data that the agency cannot access.

According to a Sepa spreadsheet, there are seven datasets that have not been recovered.

These include “annual complex exemption returns” for waste licences, “farm inspection” records relating to water, as well as “bathing water control zones.” The detailed spreadsheet is available to Ferret members as a download.

In February we reported that information on thousands of environmental checks and pollution breaches over 15 months had been permanently lost. One former Sepa boss described the lost databases as a “disaster”.

Sepa‘s acting chief executive, Jo Green, said a series of independent reviews, including by Audit Scotland, “were clear both on the level of threat to Scottish organisations and that Sepa is not a poorly protected organisation”.

“We’ve spoken out on our readiness, resilience, response and recovery, and shared our learnings widely,” Green added. “Whilst recovery is challenging and complex, we’re making strong progress. We moved quickly to prioritise service delivery and continue to work to a clear plan for the medium term restoration of all our services.

Green said Sepa had recovered 80 per cent of the data illegally encrypted by criminals, and recently published “two significant compliance and reporting datasets and are working on next steps”. She continued: “In line with what we’ve said, we’ve confirmed the detailed cost of the cyber-attack as £4.4m, with £1.1m investment brought forward from future years.”

The Ferret first submitted a freedom of information request seeking more information on the cyber attack in March 2021. The latest documents have been released, more than one year on, following an investigation by the Scottish Information Commissioner into the handling of the request.

The new figure of £5.5m was published in a statement on Sepa’s website at the same time as a final response was provided to the freedom of information request submitted by The Ferret.

Photo Credit: Unsplash/Vivianne Lemay