‘Human error’ caused by phishing email likely source of SEPA cyberattack
The cyberattack that downed systems for the Scottish Environment Protection Agency was likely caused by ‘human error’ as a result of a member of staff opening a phishing email.
Stephen Boyle, the Auditor General, pinpointed the source of the “sophisticated” ransomware incident on December 24, 2020, at a public audit committee meeting at the Scottish Parliament.
He described how 1.2 gigabytes of SEPA’s data – including underlying financial records – was “encrypted, stolen or lost”, and that backups were also rendered inaccessible by the hackers.
The data loss is still impacting the organisation, he told MSPs, which is why an official external audit by Grant Thornton could only issue a ‘disclaimer of opinion’ on accounts for 2020/21.
Boyle said: “SEPA had to recreate accounting records from bank and Her Majesty’s Revenue and Customs records. That made it difficult for the auditor to gain sufficient evidence to substantiate about £42 million of income from contracts.
“As a result, the auditor, Grant Thornton, has issued a disclaimer of its audit opinion, which is an unusual choice for an auditor to make. SEPA was able to prioritise and deliver some of its critical services within 24 hours of the attack. However, more than 12 months on from the attack, it continues to rebuild and reinstate its systems. The full financial impact of the attack is not yet known. Therefore, SEPA will continue to face financial and operational challenges in the years to come.”
Discussing the forensics of the attack, which is suspected to have been carried out by the Russia-based ‘Conti’ serious and organised ransomware crime group, Boyle said: “As we set out in the report, the general consensus is that the route into SEPA’s systems was through a phishing incident or attack. Committee members will be aware that that involves an email—masquerading as a genuine email—that contains a link; typically, a member of staff clicks on the link, which sets off a chain of events through which virus ransomware gets into systems. Unfortunately, that means that it is likely that an element of human error allowed the attack to have a route into SEPA’s systems.”
Boyle however said that SEPA was regarded as “well-prepared” and had a high level of “cyber awareness”, providing training for staff and tested its systems. But he said that can only take organisations so far, as has been demonstrated by recent cyberattacks on the likes of the Irish health service and the Foreign Office. He added: “If there is determined criminal intent, any organisation can be vulnerable to a cyberattack.”
SEPA is in the process of rebuilding its systems and has accepted 44 recommendations made by external auditors last year. According to Joanne Brown of Grant Thornton, around half of those have now been implemented with the remainder on track to be completed by the end of March. However she said a couple of the recommendations requiring additional investment and priority “might slip” beyond March 31 and that SEPA was in discussions about those with the Scottish Government.
One of the primary concerns remains the audit trail for SEPA finances and Boyle pointed out that SEPA’s financial strategy had identified “up to £17.9 million of vulnerability and variability in the longer term, to 2024”.
Going forward, MSPs raised concerns about the implications of the cyberattack for other public bodies in Scotland. Morag Campsie, senior manager at Audit Scotland, pointed to increased “cyberawareness” and training for public sector staff, tried and tested cyber incident plans, network segmentation, authentication and user access and a “collaborative effort” between government agencies.
She added: “The Scottish Government intends to bring in a central collaborative function, to ensure that all resources and technical expertise are pooled. The public sector has a number of organisations with different skills and of different sizes, with different resources available to them. There is a role for the Scottish Government to ensure that organisations can go to a centralised function to get information, share intelligence and make use of resources so that they are as prepared as possible and can respond quickly. We will continue to monitor the implementation of those arrangements.”
Why innovation and marketing are the perfect partners to make changes that matter￼
With the rapid evolution of traditional marketing and the appearance of digital marketing, technology and innovation has become part of any marketer’s life without the need of working for a…
Transitioning to a four-day week – CEO’s vow to strike a healthier balance in the workplace
I came to Scotland nearly 20 years ago from Ireland, with no contacts but a lot of determination. While Ireland will always be my home, Scotland has given me amazing…
Women Lead: The female-led company championing intuitive working
Over the last two years, the pandemic forced a shift to more remote and flexible working practices. Whilst we might be seeing a “return to normal”, some companies are choosing…
Women Lead: My passion for young people to consider a career in digital
Twenty years ago, I stumbled across my career in digital marketing almost by accident. It was during my honours degree in marketing at Glasgow Caledonian University. I was on work…
Women Lead: Inclusive Silicon Valley cohort gives hope to entrepreneurs from diverse backgrounds
Things are happening on the Scottish tech scene. Big and small initiatives are creating a fantastic ripple effect on the sector, bottom up and top down, thanks to the recommendations…
Women Lead: The story of an entrepreneurial scientist
I first arrived in Scotland over 20 years ago. I had £75 in my wallet and a scholarship offer to do a PhD at the University of Edinburgh. Sometimes I…
Please mind the gap… or healthcare may fall
Imagine sharing a lengthy train journey with others. From beginning to end, imagine how often you might hear ‘mind the gap’ messages about embarking and disembarking safely. Picture how navigating…
Women Lead: My journey from Dragons’ Den to Silicon Valley
Following her appearance on Dragons’ Den, Sheila Hogan, serial entrepreneur, founder and chief executive of digital legacy vault, Biscuit Tin, shares her experience of her time in the Den and…