SEPA cyber recovery update

  05 April 2022

On Tuesday, 5th April 2022, SEPA confirmed that work to summarise the cost of the December 2020 cyber-attack by international serious and organised criminals, had been completed.

Jo Green, Acting Chief Executive of the Scottish Environment Protection Agency (SEPA) said:

"Following a significant cyber-attack by international serious and organised criminals, a series of independent reviews, including by Audit Scotland, were clear both on the level of threat to Scottish organisations and that SEPA is not a poorly protected organisation.

“We've spoken out on our readiness, resilience, response and recovery, and shared our learnings widely. Whilst recovery is challenging and complex, we’re making strong progress. We moved quickly to prioritise service delivery and continue to work to a clear plan for the medium term restoration of all our services.

“We’ve recovered 80% of the data illegally encrypted by criminals, recently published two significant compliance and reporting datasets and are working on next steps. In line with what we’ve said, we’ve confirmed the detailed cost of the cyber-attack as £4.4m, with £1.1m investment brought forward from future years.”


  • On Christmas Eve 2020, SEPA was the victim of a serious and significant cyber-attack orchestrated by international serious and organised criminals which significantly impacted the organisation.
  • Whilst our story is not unique, we were clear that we would not use public funds to meet a ransom request and that we would share our learnings widely.
  • SEPA received and is grateful for the significant support of the Scottish Government, Police Scotland, the National Cyber Response Centre and Scottish Business Resilience Centre.
  • We commissioned independent reviews into our readiness, resilience, response and recovery, which we published at an open forum for Scottish public, private and third sector partners in October 2021.
  • The majority of organisations hit by cyberattacks around the world choose not to speak openly about the attacks and that is their right.  We know we have taken an unusual approach, but we are convinced it is the right thing to do. 
  • In October 2021 we shared widely the findings of our independent audits. - SEPA cyber-attack ‘displayed significant stealth and malicious sophistication’ | Media | Scottish Environment Protection Agency (SEPA)
  • We published as much as we could of the independent reviews so that others could learn from our experience to better protect themselves from this growing scourge of international cybercrime.
  • Whilst the reviews found that SEPA’s cyber maturity assessment was high and that sophisticated defence and detection mechanisms were implemented and operating correctly prior to the incident, they identified a series of recommendations for the public sector, and 44 learnings for SEPA.
  • All the learnings were accepted. To date, 35 have been implemented and good progress is being made on the remaining nine.
  • In February 2022, Audit Scotland published its 2020/21 Audit of the Scottish Environment Protection Agency, stating that “SEPA was in a solid starting position” but that “this incident highlights how no organisation can fully defend itself against the threat of today's sophisticated cyber-attacks."
  • SEPA’s recovery is challenging and complex, with the Auditor General reflecting the realism of a serious and significant cyber-attack, stating that “SEPA will continue to experience the consequences of this attack for a while to come.”
  • SEPA is working to a clear Corporate Plan and Annual Operating Plan, with a refreshed Annual Operating Plan due for publication in May 2022.
  • Our service status can be viewed here. This provides the latest information on our current service status and recovery and is updated on a weekly basis. 
  • Cyber-crime is increasing at a rapid pace globally. In March 2022 the Scottish Government recently released figures which show that cyber-attacks in Scotland rose by more than 700% in the last year.
  • SEPA welcomed news that a new Scottish Cyber Co-ordination Centre (SC3) will act as a recognised, authoritative and collaborative function to combat the accelerating threat of these malicious and criminal cyber-attacks.