Officials at the Scottish Environment Protection Agency (Sepa) have warned a cyber-attack that led to the theft of thousands of confidential documents and shut down key operations has still not ended.
The ransomware attack on Sepa, where criminals seized about 1.2GB of confidential data in an attempt to extort money for its return, began on Christmas Eve.
The thieves have begun posting the stolen data online and are continuing to demand a payment from Sepa. The agency estimates at least 4,000 documents have been taken but says it may never know the true extent of the theft.
It includes personal information about Sepa staff, contract and procurement documents, pollution permits, enforcement notices and commercial work with overseas agencies.
Terry A’Hearn, Sepa’s chief executive, said the attackers were believed to be international cybercriminals who had deliberately targeted the agency. Sepa had rejected its demands for a fee to remove the stolen data from the internet, he said.
“We’ve been clear that we won’t use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds,” A’Hearn said.
Sepa has been forced to prioritise a handful of essential services, including flood protection and priority anti-pollution operations, and has been unable to carry out nearly all its routine work. That included updating recent rainfall data on its flood warning website, which published four flood alerts on Thursday linked to Storm Cristoph.
Cybercriminals routinely attack public agencies in an attempt to take control of sensitive computer systems or steal data, and then extort money to release the systems or delete the stolen material.
In 2017, tens of thousands of businesses and public bodies in up to 100 countries worldwide, including scores of hospitals in the UK, were hit in the WannaCry ransomware attack that exploited weaknesses in Microsoft Windows systems.
A’Hearn said that four weeks after the attack started, Police Scotland and the UK’s National Cyber Security Centre had still not been able to resolve it. The agency said in mid-January many of its computer systems would be badly affected for months, and some may need to be replaced.
“Sadly we’re not the first and won’t be the last national organisation targeted by likely international crime groups. We’ve said that whilst for the time being we’ve lost access to most of our systems, including things as basic as our email system, what we haven’t lost is our 1,200 expert staff.
“Through their knowledge, skills and experience we’ve adapted and since day one continued to provide priority regulatory, monitoring, flood forecasting and warning services. Whilst some systems and services may be badly affected for some time, step by step we’re working to assess and consider how we recover.”