Full cost of 2020 cyber attack on Sepa still not known

By Andrew Picken
BBC Scotland News

  • Published
Cyber attack graphicImage source, Getty Images

Scotland's environment watchdog has written off £2m worth of fees because of records lost in a cyber attack.

The Scottish Environment Protection Agency (Sepa) had thousands of digital files stolen in the 2020 incident.

A new report by Audit Scotland said that, as a result, some public money had been written off but the full financial impact was still unknown.

Auditor General Stephen Boyle said the attack continued to have a "significant impact" on Sepa's performance.

Mr Boyle said Sepa's cyber defences were good and the incident highlighted how "no organisation can fully defend itself against the threat of today's sophisticated cyber-attacks".

Audit Scotland issued a rare "disclaimer of opinion" on Sepa's annual accounts for 2020/21 as a result of the cyber attack.

The spending watchdog said it was unable to obtain sufficient audit evidence to substantiate £42m of income from contracts for the environmental watchdog.

Reports published by both Audit Scotland and Sepa's auditors Grant Thornton reveal:

  • Someone opening a fake email from hackers is the most likely cause of the cyber attack, according to experts. This means there "may have been a degree of human error involved" in the suspected phishing attack, according to Audit Scotland.
  • The majority of Sepa's data was either "encrypted, stolen or lost" and the "sophistication of the attack meant back-ups were corrupted".
  • Sepa's latest financial strategy estimates a "budget gap" of £6m (best case scenario) and £17m (worst case scenario) by 2024. A "strategic change" programme will see 50 full-time equivalent jobs go as a result.
  • As of March, 2021 the cyber attack is estimated to have cost £1.2m but the quango's management have not been able to "fully quantify" the full financial impact yet.
  • Sepa has written off about £2m "that it will be unable to collect in fees due to loss of underlying records".

Sepa rejected a ransom demand for the 2020 attack, which was claimed by the international Conti ransomware group, and its stolen files were then released on the internet.

The public body restored the majority of its key services, such as flooding forecasting, but is now building new IT systems to run them from.

Image source, Getty Images

In the report's conclusions, Audit Scotland said Sepa had "a number of areas of good practice" which included its "quick response and business continuity arrangements that enabled it to continue delivering critical services, and its open and transparent communication with staff and wider public".

Auditor General Mr Boyle said: "This incident highlights how no organisation can fully defend itself against the threat of today's sophisticated cyber-attacks.

"But it's crucial that organisations are as well-prepared as possible.

"Sepa was in a solid starting position but it will continue to feel the consequences of this attack for a while to come. Everyone in the public sector can, and should, learn from their experience."

'Challenging and complex'

In January, Sepa chief executive Terry A'Hearn, who had been in post since 2015, quit following conduct allegations.

Jo Green, acting chief executive of Sepa, said it had already commissioned, and acted on, a number of reviews into the cyber incident.

She added: "Whilst the reviews found that Sepa's cyber maturity assessment was high and that sophisticated defence and detection mechanisms were implemented and operating correctly prior to the incident, they identified a series of recommendations for the public sector, and 44 learnings for Sepa.

"All the learnings were accepted. Whilst challenging and complex, Sepa's recovery continues apace."

Related Internet Links

The BBC is not responsible for the content of external sites.