The Scottish Environmental Protection Agency (Sepa) paid private PR and social media firms £170,000 following a cyber attack in 2020, despite having its own communications department.
A freedom of information request by The Ferret can reveal that two contracts awarded by the government agency following a hack that paralysed it cost the taxpayer nearly £15,000 a month for a year.
The total cost to the public purse of the 2020 cyber attack on Sepa has risen to at least £5.5m, as revealed by The Ferret earlier this month.
Critics said the PR bill was “shocking” and there were “serious questions” to be asked of Sepa over its spending of taxpayers’ money on communications firms.
In reply Sepa said it “deliberately prioritised communication” after the cyber attack to support “colleagues, customers and partners” – including those whose data was stolen and “illegally published”. The agency added it no longer pays private firms for help with communications.
The attack against Sepa’s computers was launched on Christmas Eve 2020 by an international criminal gang known as Conti. It demanded a ransom, which Sepa refused to pay.
In June 2021 The Ferret reported that Sepa estimated the hack would cost taxpayers £2.5m. But new documents released by Sepa earlier this month showed the final bill has more than doubled.
They also revealed that £170,000 was paid to two private companies to assist the agency with communications following the attack.
A public relations firm called 3X1 Group was paid £136,000 (£113,400 ex VAT) for “public communication, employee and stakeholder engagement” in a 12 month contract. Sepa initially told The Ferret that the contract was worth £246,000 but amended the figure following our request for a comment.
A social media agency called We Are Hydrogen was paid £36,000 for “comms support – social media”.
Sepa has its own communications department which, according to its website, “works closely with all areas of the business to ensure effective internal and external communication”.
Opposition political parties have now raised concerns over SEPA’s spending.
Scottish Labour Finance spokesperson Daniel Johnson questioned the spending of over £100,000 of taxpayers’ money on PR firms during a cost of living crisis. He added: “It is completely reasonable for Sepa to pay for the technical upgrades they need after the cyber attack – but no one can say that giving over £100k to a PR firm is part of a technical upgrade.”
Lib Dems’ rural affairs spokesperson Beatrice Wishart MSP acknowledged that SEPA has had a “torrid time” over the past three years, but added: “The bill for this cyber hack has spiralled significantly but perhaps the most shocking feature is their public relations bill. As the organisation rebuilds, it has serious questions to ask about how it prioritises spending and whether it is delivering value for money for taxpayers.”
Those concerns were echoed by Scottish Conservative shadow finance and economy secretary Liz Smith MSP who claimed that “eyebrows will be raised among the public” at the sums spent by SEPA. She said questions must be answered by “top officials at Sepa” as to the “process behind spending so much money” on communications firms.
Smith added: “While this was a significant cyber-attack, costs to the taxpayers are threatening to spiral out of control. People are struggling right now with rising bills and tightening their belts, yet it appears there is little limit on what Sepa are prepared to charge to the public purse.”
Stuart McGregor, chief finance officer at Sepa, said: “Following a significant cyber-attack by international serious and organised criminals, a series of independent reviews, including by Audit Scotland, were clear both on the current cyber-threat level to Scottish organisations and on our response with Scottish Government, Police Scotland, the National Cyber Resilience Centre and Scottish Business Resilience Centre.
He added: “We ensured important public services continued and that our stakeholders knew how we were impacted and how to work with us. We also spoke openly on our readiness, resilience, response and recovery and commissioned and published independent reviews to share our learnings widely which was recognised as an important outcome by Audit Scotland, Police Scotland and others.
“As again is best practice, we utilised external resource to support our cyber response in a number of areas, including public communication, employee and stakeholder engagement to support internal resource.”
A spokesperson for 3×1 Group said: “Good communication is an essential part of managing any crisis and we work with a range of clients to provide support during times like this.
“We provided SEPA with ongoing 24/7 communications support to ensure that everyone affected by the cyber attack, from the organisation’s staff to those who use its services, were kept informed as the situation evolved and recovery measures were implemented.”
The Scottish Government declined to comment.
We Are Hydrogen did not reply to our request for a comment.
Photo thanks to iStock and solarseven