On 24 December 2020, we were subject to a serious and complex cyber-attack, displaying significant stealth and malicious sophistication, which significantly impacted our organisation, our staff, our public and private partners, and the communities who rely on our services. 

Since the attack, we have worked with Scottish Government, Police Scotland, the National Cyber Security Centre (NCSC) and the Scottish Business Resilience Centre (SBRC), to a clear recovery strategy.

Learnings from the cyber-attack

We voluntarily commissioned reviews from independent experts to help:  

1. ensure that SEPA further enhances its cyber security as the organisation builds new systems and practices.
2. allow others to learn from SEPA’s experience to help better protect themselves from cyber-crime.  

We are publishing as much as we can of the reviews so that as many organisations as possible can use our experience to better protect themselves from cyber-crime and have committed to supporting Police Scotland and Scottish Business Resilience Centre in their work on highlighting the support available to organisations to be cyber ready, resilient and responsive.

• SEPA: Response and recovery from a major cyber-attack 
• Azets: SEPA Internal Audit Report 2020/2021 Cyber Attack – Response 
• Azets: SEPA Internal Audit Report 2020/2021 Cyber-Attack – Lessons Learned
• Police Scotland: Cyber-attack response debrief 
• Police Scotland: Cyber-attack response debrief management response
• Scottish Business Resilience Centre: SEPA cyber preparedness review 

Our service status

Throughout our response and recovery activities, we published a weekly service status, detailing progress on our affected systems and services. We'll continue to update our service status on a weekly basis so that we’re clear on what those we work with can expect and how we'll prioritise progress.

Our current service status information.

Regulatory approach hub

SEPA committed to supporting regulated businesses during EU exit and COVID-19 and our response to the cyber-attack whilst maintaining protection for Scotland’s environment, communities and our people by publishing information on our regulatory approach website. As organisations re-open, we have now withdrawn this website and the temporary regulatory position statements (TRPS) it included.

You can find current information on the following regulatory positions on our website:

• COMAH
• Lateral flow test disposal
• Milk disposal
• Special waste consignment notes

If you require to view a withdrawn TRPS, please contact us.

Further information

Cyber security advice:

• Protecting yourself against cybercrime - Police Scotland
• Cybercrime Harm Prevention Guidance from Police Scotland
• Register for the ‘Exercise in a Box’, a free, 90-minute non-technical workshop, from the Scottish Business Resilience Centre
• Scottish Business Resilience Centre helpline for Scottish organisations in the event of a cyber-attack
• Cyber security advice for businesses, charities and critical national infrastructure with more than 250 employees
• Cyber security advice for businesses, charities, clubs and schools with up to 250 employees

Contact us:

• Visit the contact page on the SEPA website 

Further reading:

• Media release - SEPA cyber-attack 'displayed significant stealth and malicious sophistication' - Learnings for Scotland's public sector
• Annual Operating Plan 2021-2022