SEPA Cyber-Attack: Data theft, service delivery and recovery update

  21 January 2021
The Scottish Environment Protection Agency (SEPA) today (21 January 2021) provided a further update on the ongoing ransomware cyber-attack which has significantly impacted the organisation since Christmas Eve.  The organisation reiterated that it will not engage with criminals intent on disrupting public services and extorting public funds.
  • SEPA issues further update on cyber-attack, data theft, service delivery and recovery.
  • Ransomware attack remains ongoing as SEPA reiterates it will not engage with criminals intent on disrupting public services and extorting public funds.
  • Data likely to be stolen by international serious and organised cyber-crime groups has been illegally published online.
  • SEPA working to recover and analyse data then contact and support affected organisations and individuals over coming days and weeks as quickly as identifications confirmed.
  • Dedicated data loss support website, Police Scotland guidance, enquiry form and support line available for regulated business and supply chain partners.
  • Priority regulatory, monitoring, flood forecasting and warning services continuing to adapt and operate.
  • Broader update on service delivery and recovery to be confirmed early next week.
  • SEPA continuing to work with Scottish Government, Police Scotland, the National Cyber Security Centre and cyber-security specialists to respond to what remains complex and sophisticated criminality. Subject of a live criminal investigation.
  • The latest information on the cyber-attack, limited data loss and how to contact the agency is available at sepa.org.uk/cyberattack

The Scottish Environment Protection Agency (SEPA) today (21 January 2021) provided a further update on the ongoing ransomware cyber-attack which has significantly impacted the organisation since Christmas Eve.  The organisation reiterated that it will not engage with criminals intent on disrupting public services and extorting public funds.

As part of a broad update on data theft, service delivery and recovery, the environmental regulator confirmed that data stolen by what was likely to be international serious and organised cyber-crime groups has now been illegally published online.

In a previous update on 14th January (one of a series since the attack on Christmas Eve), SEPA confirmed the theft of circa 1.2 GB of data across four broad categories.  To provide some context, by comparison the theft was the equivalent to a fraction of the contents of an average laptop hard drive.  Nevertheless, it still means that at least four thousand files may have been stolen by criminals. 

“Supported by Scottish Government, Police Scotland and the National Cyber Security Centre, we continue to respond to what remains a significant and sophisticated cyber-attack and a serious crime against SEPA” said SEPA Chief Executive, Terry A’Hearn.  “We’ve been clear that we won’t use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds”, he added.

“We have made our legal obligations and duty of care on the sensitive handling of data a high priority and, following Police Scotland advice, are confirming that data stolen has been illegally published online.  We’re working quickly with multi-agency partners to recover and analyse data then, as identifications are confirmed, contact and support affected organisations and individuals.”

The agency reiterated that whilst stolen data had now been illegally published and work was underway to analyse the data set, it does not yet know, and may never know the full detail of the 1.2 GB of information stolen.  Some of the information stolen will have been publicly available, whilst some will not have been.  It confirmed that staff had been contacted based on the information available, were being supported and that a dedicated data loss support website, Police Scotland guidance, enquiry form and support line was available for regulated business and supply chain partners.

The agency also confirmed that priority regulatory, monitoring, flood forecasting and warning services were continuing to adapt and operate and that a broader update on service delivery and recovery would be confirmed next week.

Mr. A’Hearn added:

“Sadly we’re not the first and won’t be the last national organisation targeted by likely international crime groups.  We’ve said that whilst for the time being we’ve lost access to most of our systems, including things as basic as our email system, what we haven’t lost is our twelve-hundred expert staff. 

“Through their knowledge, skills and experience we’ve adapted and since day one continued to provide priority regulatory, monitoring, flood forecasting and warning services.  Whilst some systems and services may be badly affected for some time, step-by-step we’re working to assess and consider how we recover.  We’ll issue a broader update on service delivery and recovery early next week, with weekly updates to be clear on what those we work with can expect and how we’ll prioritise progress.”

The agency stressed firm Police Scotland advice that organisations and individuals should not seek to search for the stolen information, as accessing the host site may place organisations, individuals and their computer infrastructure at risk.

Detective Inspector Michael McCullagh of Police Scotland’s Cybercrime Investigations Unit said:

“This remains an ongoing investigation. Police Scotland are working closely with SEPA and our partners at Scottish Government and the wider UK law enforcement community to investigate and provide support in response to this incident. Enquiries remain at an early stage and continue to progress including deployment of specialist cybercrime resources to support this response.

“It would be inappropriate to provide more specific detail of investigations at this time."

Jude McCorry, Chief Executive of the Scottish Business Resilience Centre, added:

“There are many ways including ransomware a business can experience a cyber security incident, with varying levels of complexity and disruption. Cyber incidents can occur through deliberate targeting like we have seen with SEPA, or even human error, the end result is the same, a disruptive effect on business operations.

“At SBRC we are working in partnership with Police Scotland and Scottish government running the UK’s first collaborative cyber incident response helpline for organisations in Scotland.

“If you feel that you are a victim of a cyber attack your first call should be to Police Scotland on 101 to report the crime (whilst respecting your IT systems as a crime scene) and our incident response helpline on 01786 437472, we will assist you with immediate support and expert guidance,  and ensure you are speaking to the correct agencies and organisations to help you feel supported and get you back in operation securely.”

Further information

SEPA will provide further updates as quickly as possible at www.sepa.org.uk/cyberattack as more information becomes available.

Whilst the agency continues to work hard to understand and resolve the issues, members of the public, regulated businesses and suppliers can find additional information and contact options via:

  • Visit SEPA's website – sepa.org.uk
  • Check latest flooding information - floodline.sepa.org.uk/floodupdates
  • Call SEPA's 24 Hour Floodline on 0345 988 1188.
  • Report pollution or environmental incidents – sepa.org.uk/report
  • Call SEPA's 24 Hour Pollution Hotline on 0800 80 70 60.

  • Check the latest EU Exit & Coronavirus Regulatory Approach information – regulatoryapproach.sepa.org.uk/

  • Find the latest information on how we’re responding to the cyber-attack at org.uk/cyberattack

  • For other enquiries, contact us via sepa.org.uk/contact/contact-us-by-email, noting there may be a delay in responding.

NOTES TO EDITORS:

CATEGORIES OF STOLEN INFORMATION:

  • Business information: Information such as, but perhaps not restricted to, publicly available regulated site permits, authorisations and enforcement notices. Some information related to SEPA corporate plans, priorities and change programmes.

  • Procurement information: Information such as, but perhaps not restricted to, publicly available procurement awards.

  • Project information: Information related to our commercial work with international partners.

  • Staff information: Personal information relating to SEPA staff.

EARLIER RELEASES: