Western Isles council is still dealing with service backlogs two years on from a cyberattack crippled its systems, an external audit has found.
The local authority, which serves a population of just 26,640 people across Lewis, Harris, North Uist, Benbecula, South Uist, and Barra, is still not back to normal service since the ransomware incident in November 2023.
Audit Scotland today published a review undertaken by the Accounts Commission, the external scrutiny body for Scottish local councils, which found the council had not taken action to address previous weaknesses in IT and cyber governance.
It also found the council’s business continuity plans hadn’t fully anticipated the scale of the attack, and that if it had been better prepared, it is ‘possible’ that the attack’s impact might have been reduced.
The attack caused immediate, severe and prolonged disruption, with the impact most significant for the council’s finance team. It caused the near total loss of use of the data held on its servers.
All Scottish councils must learn from the immediate and ongoing impacts of a significant cyber-attack on Comhairle nan Eilean Siar, its Gaelic name, said the Commission in a 23-page report released today.
Jo Armstrong, Chair of the Accounts Commission said: “This cyberattack shows how exposed local government is, and the urgent need to test resilience and recovery arrangements. Councils need to assume that it’s a case of when, not if, they are attacked. A collective approach is needed to prepare councils for an increasingly digital future – they must collaborate, learn from each other and work closely with partners, including the Scottish Government.”
In its report, the Commission recognised that the council took swift action to protect systems and prioritise front-line services and payments to staff and suppliers.
Staff continue to work hard to maintain service performance; however, two years on, some services are still recovering and dealing with backlogs. The council must urgently carry out thorough and routine testing of its new response, recovery and business continuity plans.
Armstrong said: “Comhairle nan Eilean Siar staff went above and beyond to mitigate the impacts on service users, suppliers and the local community. This increased pressure on staff as they took on additional work, alongside dealing with day-to-day responsibilities. We want the council to take action to improve how they communicate and support staff during significant events that could increase workload and stress.”
The report revealed that the council experienced a sophisticated ransomware attack on 7 November 2023 and employees and customers were unable to access its systems and data. The attackers had installed malware (malicious software) after they gained unauthorised access to the system. A number of the council’s systems and back-ups were affected, including the general ledger and other accounting records.
Because of the lost data and incomplete records, the auditor was unable to obtain “sufficient audit evidence” about transactions and balances for 2023/24. The missing or irrecoverable data was deemed pervasive enough to prevent a reliable audit.
The report also noted that many of the vulnerabilities exploited by the attack had been identified previously in 2021–22, but recommendations to fix them had not been implemented.
Although the Council eventually mobilised a response, its existing continuity plans had not been tested against a severe event like this the ransomware attack. As a result, the manual workarounds adopted were far from robust, and some systems remain not fully rebuilt nearly two years later.
The pressures placed on many staff were also highlighted. The Commission said it expects the council to ‘consider the lessons which could be learned in relation to communicating with and supporting staff during periods of high stress and increased workload related to significant events’.
Services are continuing to integrate data into the new IT systems while simultaneously working through a significant
backlog of tasks. This is particularly evident in revenues and benefits and planning services, where the disruption continues to have an impact.
Internal audit reported that staff were stretched to capacity, and that the increased workload and pressure are likely to continue affecting operations until full normality is restored, potentially months or even years into the future, the report found.
To read the report in full, visit here.
