More than 4,000 confidential business files belonging to the Scottish Environment Protection Agency (SEPA) have been illegally posted on the dark web by cyber criminals.

A stolen tranche of 1.2GB of data from SEPA has been revealed on a hidden hackers’ site as part of a sophisticated ransomware attack which downed SEPA systems on Christmas Eve.

The data, which has been seen by FutureScot but which we are not revealing, is being displayed by the Conti criminal network as part of efforts to extort cash from the environmental agency.

Last night its Chief Executive Terry A’Hearn insisted that the agency would not pay the anonymous criminal enterprise – which has been behind a string of attacks on public authorities, such as a US criminal court, as well as companies from sectors including manufacturing, hospitality, construction – with victims were located in the US, the UK, Canada, New Zealand, and the Bahamas.

A’Hearn said: “Supported by Scottish Government, Police Scotland and the National Cyber Security Centre, we continue to respond to what remains a significant and sophisticated cyber-attack and a serious crime against SEPA. We’ve been clear that we won’t use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds.”

He added: “We have made our legal obligations and duty of care on the sensitive handling of data a high priority and, following Police Scotland advice, are confirming that data stolen has been illegally published online.  We’re working quickly with multi-agency partners to recover and analyse data then, as identifications are confirmed, contact and support affected organisations and individuals.”

The Conti leak was initially contained to just seven per cent of the total cache of data it had stolen from SEPA as part of the ransomware attack, which had downed systems and email for 1,200 staff, as part of what is defined by cyber threat intelligence agencies as a ‘double extort’ method. The cyber gangs use a portion of the data to threaten their victims that they will release more, unless they pay the ransom in full. By releasing the full 100 per cent cache, 4,150 files, it could be that Conti has given up its attempt to extract cash from SEPA, although the agency is still facing a prolonged period of disruption because it cannot currently regain control of all of its systems.

The agency reiterated that whilst stolen data had now been illegally published and work was underway to analyse the data set, it does not yet know, and may never know the full detail of the 1.2 GB of information stolen.  Some of the information stolen will have been publicly available, whilst some will not have been.  It confirmed that staff had been contacted based on the information available, were being supported and that a dedicated data loss support website, Police Scotland guidance, enquiry form and support line was available for regulated business and supply chain partners.

The agency also confirmed that priority regulatory, monitoring, flood forecasting and warning services were continuing to adapt and operate and that a broader update on service delivery and recovery would be confirmed next week.

Mr. A’Hearn added: “Sadly we’re not the first and won’t be the last national organisation targeted by likely international crime groups.  We’ve said that whilst for the time being we’ve lost access to most of our systems, including things as basic as our email system, what we haven’t lost is our twelve-hundred expert staff.

“Through their knowledge, skills and experience we’ve adapted and since day one continued to provide priority regulatory, monitoring, flood forecasting and warning services.  Whilst some systems and services may be badly affected for some time, step-by-step we’re working to assess and consider how we recover.  We’ll issue a broader update on service delivery and recovery early next week, with weekly updates to be clear on what those we work with can expect and how we’ll prioritise progress.”

The agency stressed firm Police Scotland advice that organisations and individuals should not seek to search for the stolen information, as accessing the host site may place organisations, individuals and their computer infrastructure at risk.

Detective Inspector Michael McCullagh of Police Scotland’s Cybercrime Investigations Unit said: “This remains an ongoing investigation. Police Scotland are working closely with SEPA and our partners at Scottish Government and the wider UK law enforcement community to investigate and provide support in response to this incident. Enquiries remain at an early stage and continue to progress including deployment of specialist cybercrime resources to support this response.

“It would be inappropriate to provide more specific detail of investigations at this time.”

Jude McCorry, Chief Executive of the Scottish Business Resilience Centre, added: “There are many ways including ransomware a business can experience a cyber security incident, with varying levels of complexity and disruption. Cyber incidents can occur through deliberate targeting like we have seen with SEPA, or even human error, the end result is the same, a disruptive effect on business operations.

“At SBRC we are working in partnership with Police Scotland and Scottish government running the UK’s first collaborative cyber incident response helpline for organisations in Scotland.”