SEPA continues to count cost of cyberattack

The Scottish Environment Protection Agency (SEPA) continues to feel the consequences of a December 2020 ransomware attack, says Audit Scotland report

Posted 2 February 2022 by Christine Horton

The full financial impact of a 2020 cyberattack on Scotland’s environmental agency is still not clear, according to a report by Scotland’s auditor general.

The Scottish Environment Protection Agency (SEPA) suffered a sophisticated ransomware attack on December 24, 2020. Most of its data was encrypted, stolen or deleted overnight – despite subsequent reviews finding that SEPA’s cyber defences were good.

Investigations have yet to determine the original source of the attack but a phishing email, and human error, is suspected.

The ransom was not paid and SEPA was able to keep delivering its key services, such as flood warnings, within 24 hours of the attack. But more than twelve months on, it is still rebuilding its digital infrastructure.

Accounting records had to be recreated from bank statements and HMRC records, leaving auditors unable to fully examine SEPA’s finances, including £42 million of contract income.

SEPA’s management is also still trying to understand the full financial impact of the cyberattack, which has speeded up the building, or buying, of new systems and infrastructure. The senior team is also addressing recommendations for further improvement made in independent reviews of the incident.  

“This incident highlights how no organisation can fully defend itself against the threat of today’s sophisticated cyberattacks. But it’s crucial that organisations are as well-prepared as possible,” said Stephen Boyle, auditor general for Scotland. 

“SEPA was in a solid starting position but it will continue to feel the consequences of this attack for a while to come. Everyone in the public sector can, and should, learn from their experience.” 

Complex and sophisticated devices

The auditor general says it is believed the attackers infiltrated SEPA’s systems prior to the December 24, 2020 and left complex and sophisticated devices to encrypt and destroy data.

SEPA continues to monitor its performance against 20 revised targets. However, it will be challenging for it to meet all of these in the coming year as it recovers and rebuilds, notes the report.

The auditor issued a disclaimer of opinion on SEPA’s financial statements as they were unable to obtain sufficient audit evidence to substantiate £42 million of income from contracts. 

 The auditor general appoints auditors to Scotland’s central government and NHS bodies; examines how public bodies spend public money; helps them to manage their finances to the highest standards; and checks whether they achieve value for money. It is independent and is not subject to the control of the Scottish Government or the Scottish Parliament.