Scottish Environment Protection Agency confirms ongoing ransomware attack likely to be by international serious and organised cyber-crime groups as 1.2 GB of data theft confirmed

  14 January 2021
The Scottish Environment Protection Agency (SEPA) today (14 January 2021) confirmed it was continuing to respond to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups. The agency also confirmed the theft of 1.2 GB of data and the support available to staff and affected partners, whilst reassuring the public that priority regulatory, monitoring, flood forecasting and warning services are adapting and continuing to operate.
  • SEPA confirms ongoing ransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting public services and extorting public funds.

  • Cyber security specialists have identified the theft of circa 1.2 GB of data (equivalent to a small fraction of the contents of an average laptop hard drive).

  • Dedicated data loss support website, enquiry form and support line available for regulated business and supply chain partners.

  • SEPA working with Scottish Government, Police Scotland and the National Cyber Security Centre to respond to what is complex and sophisticated criminality. Subject of a live criminal investigation.

  • What is now clear is that with infected systems isolated, recovery may take a significant period.  

  • A number of SEPA systems (including email) will remain badly affected for some time, with new systems required.

  • Priority regulatory, monitoring, flood forecasting and warning services are adapting and continuing to operate.

  • The latest information on the cyber-attack, limited data loss and how to contact the agency is available at sepa.org.uk/cyberattack

The Scottish Environment Protection Agency (SEPA) today (14 January 2021) confirmed it was continuing to respond to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups. The agency also confirmed the theft of 1.2 GB of data and the support available to staff and affected partners, whilst reassuring the public that priority regulatory, monitoring, flood forecasting and warning services are adapting and continuing to operate.
 
The matter is subject to a live criminal investigation and the duty of confidence is embedded in law.
 
The agency confirmed last week that following the attack at 00:01 Hrs on Christmas Eve, business continuity arrangements were immediately enacted and the agency’s Emergency Management Team was working with Scottish Government, Police Scotland and the National Cyber Security Centre to respond to what is complex and sophisticated criminality.

SEPA’s approach continues to be to take the best professional advice from the multi-agency partners, including Police Scotland and cyber security experts, to support its response. The agency advised that, for the time being, it needed to protect the criminal investigation and its systems. Consequently some internal systems and external data products will remain offline in the short term. Priority regulatory, monitoring, flood forecasting and warning services are adapting and continuing to operate.

Terry A’Hearn, Chief Executive of the Scottish Environment Protection Agency, said:
 
“Whilst having moved quickly to isolate our systems, cyber security specialists, working with SEPA, Scottish Government, Police Scotland and the National Cyber Security Centre have now confirmed the significance of the ongoing incident. Partners have confirmed that SEPA remains subject to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting public services and extorting public funds.”
 
What is now clear is that with infected systems isolated, recovery may take a significant period. A number of SEPA systems will remain badly affected for some time, with new systems required.
 
Email systems remain impacted and offline. Information submitted to SEPA by email since Christmas Eve is not currently accessible and whilst online pollution and enquiry reporting has now been restored, information submitted in the early stages of the attack is currently not accessible.
 
Limited data loss
 
Despite systems being certified to UK Government security standards, cyber security specialists have also identified the loss of circa 1.2 GB of data. Whilst, by comparison, this is the equivalent to a small fraction of the contents of an average laptop hard drive, indications suggest that at least four thousand files may have been accessed and stolen by criminals.
 
“We have prioritised our legal obligations and duty of care on the sensitive handling of data very seriously” said Chief Executive, Terry A’Hearn “which is why we have worked closely with Police Scotland, Scottish Government, the National Cyber Security Centre and specialist cyber security professionals day and night since Christmas Eve.”

“Work continues by cyber security specialists to seek to identify what the stolen data was.  Whilst we don’t know and may never know the full detail of the 1.2 GB of information stolen, what we know is that early indications suggest that the theft of information related to a number of business areas. Some of the information stolen will have been publicly available, whilst some will not have been” said Mr. A’Hearn.

Information included:

  • Business information: Information such as, but perhaps not restricted to, publicly available regulated site permits, authorisations and enforcement notices. Some information related to SEPA corporate plans, priorities and change programmes.

  • Procurement information: Information such as, but perhaps not restricted to, publicly available procurement awards.

  • Project information: Information related to our commercial work with international partners.

  • Staff information: Personal information relating to SEPA staff.


“Staff members affected to date have been notified, are being supported and are being given access to specialist advice and services. Support, including specialist advice from Police Scotland and mitigation services, is also being offered to staff across the organisation.”

Working with cyber security experts, a dedicated team has been established to identify the detail of business or partner information loss and, where identified, direct contact will be made as quickly as possible with affected organisations. This will happen across the coming days and weeks as and when more direct evidence of data loss specific to individual businesses and partners becomes apparent.
 
Cyber security advice and guidance for businesses is available from the National Cyber Security Centre. Links to this advice, along with the latest information on the cyber attack and limited data loss is available at sepa.org.uk/cyberattack

The site contains information on the scope of data thought to have been accessed, guidance from Police Scotland, a contact form and details of a dedicated data loss support line now available for regulated business and supply chain partners. The support line will not have additional information on affected organisations at this time.
 
Ongoing response
 
In addition to working to identify as much of the detail as possible in relation to the 1.2 GB of stolen data, the multi-agency response is focused on eradication, remediation and recovery.

  • Priority regulatory, monitoring, flood forecasting and warning services are adapting and continuing to operate.

  • Delivery of nationally important flood forecasting and warning products has continued, with flood alerts and warnings being issued with 24 hours of the attack on 24 December.

  • Contact centre and web self-help services are being slowly restored, including SEPA’s Floodline, 24 Hour Pollution Hotline and environmental event online reporting.

  • Regulatory teams continue to prioritise the most significant environmental events, high hazard sites and sites of community concern.

  • Teams are quickly working on interim ways to authorise regulated site activity, prioritising nationally important sectors such as food and drink, energy and waste.


That said, the agency confirmed that email, staff schedules, a number of specialist reporting tools, systems and databases remain unavailable with the potential for access to a series of systems and tools to be unavailable for a protracted period.

The multi-agency response is working to five clear priorities:

  • Incident response;
  • Supporting staff;
  • Protecting priority services;
  • Protecting Scotland’s environment;
  • Protecting communities.

Regulatory Approach

In addition to ensuring the continued delivery of priority flood forecasting and warning services, SEPA's regulatory approach will continue to prioritise supporting Scottish businesses, Scotland's recovery, environmental events, high hazard sites and sites of community concern.

The agency will help businesses meet their environmental obligations and prioritise authorising economic activity and will continue its risk based approach to regulation, focusing the most effort on sites or sectors which require oversight or where there is a risk of criminality or organisations seeking to take advantage of the ongoing cyber-attack.

Mr. A’Hearn said:

“Whilst the actions of serious and organised criminals means that for the moment we’ve lost access to our systems and had information stolen, what we’ve not lost is the expertise of over 1,200 staff who day in, day out work tirelessly to protect Scotland’s environment.

“Sadly we’re not the first and won’t be the last national organisation targeted by likely international criminals. Cyber-crime is a growing trend. Our focus is on supporting our people, our partners, protecting Scotland’s environment and, in time, following a review, sharing any learnings with wider public, private and voluntary sector partners.”

Environment Secretary, Roseanna Cunningham MSP, said:

“We strongly condemn this criminal attack on SEPA and the important work they do to protect and enhance Scotland’s environment.

“SEPA has acted quickly to enact its business continuity arrangements, ensuring its environmental incident response, and flood forecasting and warning services, are operational, and the Scottish Government, Police Scotland and the National Cyber Security Centre continue to provide support as part of a multi-agency response.

“While a great deal of work is going on to support recovery of other services that SEPA staff and the public rely on, I want to stress that arrangements are in place to allow the public to continue to report pollution incidents online or via the dedicated pollution hotline. I would urge them to do so in the interests of continuing to safeguard our environment.”

Detective Inspector Michael McCullagh of Police Scotland’s Cybercrime Investigations Unit said:

“This remains an ongoing investigation. Police Scotland are working closely with SEPA and our partners at Scottish Government and the wider UK law enforcement community to investigate and provide support in response to this incident. Enquiries remain at an early stage and continue to progress including deployment of specialist cybercrime resources to support this response.

“It would be inappropriate to provide more specific detail of investigations at this time."

Further information
 
SEPA will provide further updates as quickly as possible at www.sepa.org.uk/cyberattack as more information becomes available.

Whilst the agency continues to work hard to understand and resolve the issues member of the public, regulated businesses and suppliers can find additional information and contact options via:

ENDS