On Christmas Eve, the Scottish Environment Protection Agency (SEPA) was subject to a serious and complex cyber-attack which has significantly impacted our contact centre, internal systems, processes and communications.
Following the attack, we immediately enacted our business continuity arrangements and took immediate action to limit the impact of the cyber-attack, notifying relevant authorities, including Scottish Government, Police Scotland, the National Cyber Security Centre and the Information Commissioner’s Office (‘ICO’) with whom we continue to work.
While Police Scotland has indicated the likely involvement of international serious and organised crime, SEPA has been clear that it will not engage with criminals intent on disrupting public services and extorting public funds. The matter is subject to a live criminal investigation.
Here you’ll find information on:
Since the cyber-attack on, 24 December 2020, Christmas Eve we’ve been working closely with Police Scotland, the National Cyber Security Centre and specialist cyber experts to determine the nature and scope of the attack. We learned that 1.2 GB of data (information) amounting to just over 4,000 files had been stolen from us.
On 21 January 2021 we learned that the information stolen from us had been published online illegally. Some of the information that’s been published was already publicly available, while some of that information was not.
What's SEPA doing now?
We are working quickly to assess the information that was published online. Our priority is to identify the information that is personal data and/or commercially sensitive.
What is personal data?
Personal data is information that relates to an individual. The ICO website explains this in more detail. The information that was published online may include some personal data of our staff, of our customers, and of the people with whom we work. We recognise that this news will cause concern, and we’re very sorry that this has happened.
What is SEPA doing to protect personal data?
We have disconnected our IT systems to avoid any further unauthorised access. Unfortunately, we’re unable to take down the information that is already online.
Can you tell me if my personal data is affected?
Not currently. We’re working hard to assess the large amount of information that was published online.
Should we need to notify anyone whose information is impacted, we will do so as soon as possible in accordance with UK data protection law.
What action should I be taking just now?
As a precaution, we’re encouraging stakeholders to follow every-day information security guidance and be mindful of any suspicious activity. This may include unexpected emails or phone calls from unknown sources.
You may wish to read guidance on practical steps to protect your data. There are links to guidance below:
If you have specific enquiries about this, please complete the online form.
If you cannot access the form and need support completing this, please contact us on 01698 839 022 (Monday - Friday, 9am-5pm).
Data protection law includes the Data Protection Act 2018, and the General Data Protection Regulation (GDPR), specifically Articles 33 and 34 of GDPR.
While the attack continues to significantly impact the agency and our infrastructure, we’ve set out two clear external priorities:
Our approach continues to be to take the best professional advice from multi-agency partners, including Police Scotland and cyber security experts, with the multi-agency response focused on eradication, remediation and recovery.
Online pollution and enquiry reporting has been restored, but our email systems, staff schedules, some data products and reporting tools remain impacted and offline.
As part of a phased rollout, an increasing number of employess are now gaining access to SEPA email addresses. As email is restored, staff will have a significant volume of information and emails to manage against the backdrop of continued limitations due to the impacts of the cyber-attack and COVID-19.
The restoration of SEPA emails will be phased and not all colleagues have access to our systems. Please don't assume that any emails that you have sent to us since Christmas Eve (and in the period leading up to this) are currently being actioned.
We're working hard to clear our backlog of emails, but it will take us time. If you have not progressed your enquiry via another route in the interim, please keep checking this Service Status update, which includes information on the services we are currently able to deliver.
You can continue to contact us noting there will be a delay in response.
We've said that while for the time being we’ve lost access to most of our systems, what we haven't lost is the knowledge, skills and experience of our twelve-hundred expert staff.
Through their work we've adapted and continue to provide priority regulatory, monitoring, flood forecasting and warning services. In addition, our approach will continue to prioritise supporting Scotland's recovery.
While some systems and services may be badly affected for some time, step-by-step we're working to assess and consider how we recover.
We'll update our service status on a weekly basis so that we’ve clear on what those we work with can expect and how we'll prioritise progress.
Approch to delivery
Cyber security advice:
Contacting us about data loss:
Members of the public can:
Regulated businesses can: