On Christmas Eve, the Scottish Environment Protection Agency confirmed that it was responding to a significant cyber-attack affecting its contact centre, internal systems, processes and internal communications. We are continuing to respond to the ongoing ransomware attack likely to be by international serious and organised cyber-crime groups. The matter is subject to a live criminal investigation.
Following the attack at 00:01 Hrs on Christmas Eve, business continuity arrangements were immediately enacted and our Emergency Management Team is working with Scottish Government, Police Scotland and the National Cyber Security Centre to respond to what is complex and sophisticated criminality.
The multi-agency response is working to five clear priorities:
Our approach continues to be to take the best professional advice from multi-agency partners, including Police Scotland and cyber security experts, with the multi-agency response focused on eradication, remediation and recovery.
For the time being, we need to protect the criminal investigation and our systems. Consequently some of our internal systems and external data products will remain offline in the short term. We've said that whilst for the time being weve lost access to most of our systems, including things as basic as our email system, what we haven't hadn't lost is our twelve-hundred expert staff.
Through their knowledge, skills and experience we've adapted and continue to provide priority regulatory, monitoring, flood forecasting and warning services.
Our focus is also on:
In addition to ensuring the continued delivery of priority flood forecasting and warning services, our regulatory approach will continue to prioritise supporting Scottish businesses and Scotland's recovery.
We'll help businesses meet their environmental obligations and prioritise authorising economic activity. We'll also continue our risk based approach to regulation, focusing the most effort on sites or sectors which require oversight or where there is a risk of criminality or organisations seeking to take advantage of the ongoing cyber-attack.
Whilst some systems and services may be badly affected for some time, step-by-step we're working to assess and consider how we recover. A broader update on service delivery and recovery will be issued on the week beginning 25th January, with weekly updates to be clear on what those we work with can expect and how we'll prioritise progress
Information on how to contact us is at the bottom of this page.
Whilst having moved quickly to isolate our systems, cyber security specialists, working with SEPA, Scottish Government, Police Scotland and the National Cyber Security Centre confirm we remain subject to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting public services and extorting public funds.
It is now clear is that with infected systems isolated, recovery may take a significant period. A number of SEPA systems will remain badly affected for some time, with new systems required.
Our email systems remain impacted and offline. Information submitted to SEPA by email since Christmas Eve is not currently accessible and whilst online pollution and enquiry reporting has now been restored, information submitted in the early stages of the attack is currently not accessible.
Our approach continues to be to take the best professional advice from multi-agency partners, including Scottish Government, Police Scotland and cyber security experts, to support our response. Some of our internal systems and external data products will therefore remain offline in the short term. Additionally staff schedules, a number of specialist reporting tools, systems and databases remain unavailable with the potential for access to be unavailable for a protracted period.
Despite systems being certified to UK Government security standards, cyber security specialists have identified the loss of circa 1.2 GB on data. Whilst, by comparison, this is the equivalent to a small fraction of the contents of an average laptop hard drive, indications suggest that at least four thousand files may have been accessed and stolen by criminals.
On Thursday, 21st January 2021, as part of a broad update on data theft, service delivery and recovery, we confirmed that data stolen by what was likely to be international serious and organised cyber-crime groups has now been illegally published online.
We have prioritised our legal obligations and duty of care on the sensitive handling of data very seriously. We’re working quickly with multi-agency partners to recover and analyse data then, as identifications are confirmed, contact and support affected organisations and individuals. We don't however yet know, and may never know, the full detail of the 1.2 GB of information stolen. Some of the information stolen will have been publicly available, whilst some will not have been.
Indications suggest that the theft of information related to a number of business areas including:
Working with cyber security experts, a dedicated team has been established to identify the detail of business or partner information loss and, where identified, direct contact will be made as quickly as possible with affected organisations.
This will happen across the coming days and weeks as and when more direct evidence of data loss specific to individual businesses and partners becomes apparent. If you need to contact us about this, please complete the online form. If you cannot access the form and need support completing this, please contact us on 01698 839 022 (Monday - Friday, 9am-5pm).
Cyber security advice:
Members of the public can:
Regulated businesses can: