Council had ‘gaps in cybersecurity’ before ransomware attack

A report into a cyberattack on a Scottish council has found the local authority had not properly prepared for such an event. 

Two years after a major cyberattack targeted Comhairle nan Eilean Siar, the Accounts Commission’s report on the attack has been published.  

In the report, the Accounts Commission recognised that while the council did take swift action to protect its systems, it hadn’t properly prepared for a potential cyberattack.  

“This cyberattack shows how exposed local government is, and the urgent need to test resilience and recovery arrangements,” said Jo Armstrong, the chair of the Accounts Commission. 

“Councils need to assume that it’s a case of when, not if, they are attacked. A collective approach is needed to prepare councils for an increasingly digital future – they must collaborate, learn from each other and work closely with partners, including the Scottish Government.”

The report said the impact of the attack was immediate, crippling the council’s ability to function and resulting in the near total loss of the data held on the council’s file share servers. The attack was identified as a sophisticated ransomware attack where attackers had installed malware onto the council's system that encrypted and removed access to the council’s systems and data. The report does note that the council did "escalated the issue appropriately" when it was discovered, meeting regularly and ensuring that a temporary website was available for constituents.

"Comhairle nan Eilean Siar welcomes the publication of the Accounts Commission’s report," said Malcolm Burr, chief executive of Comhairle nan Eilean Siar. "The report illustrates the scale of the cyber-attack’s impact and commends the excellent response of Comhairle nan Eilean Siar employees in continuing the operation of Comhairle services."

As a result of the attack, various services were affected, leaving users unable to access critical services like paying council tax. The report said the impact of the disruption is still being felt, as some critical services like the housing benefits systems are still recovering and dealing with significant backlogs. 

“Both the auditor and the independent reviews commissioned have identified that the organisation had gaps in their cybersecurity, business continuity and disaster recovery arrangements in place,” said the report. “It is not possible to conclude whether a more robust control environment would have prevented the cyberattack however, stronger controls may have helped to reduce its impact or improve the speed of detection and response.”

The Accounts Commission said that despite an internal audit recommending 10 steps to increase the council’s cybersecurity after the attack, only five of those recommendations had been fully implemented. 

The report further highlighted that specific policies around staff training, testing of cyber-resilience plans and the full compliance of the council with the National Cyber Security Centre’s (NCSC) cybersecurity principles were still outstanding.  

The attack is estimated to have cost the council over £950,000 in direct costs, with £300,000 of this occurring on a regular basis as the council focuses its efforts on rebuilding systems.  

The Accounts Commission has recommended that all councils should invest in comprehensive staff training programmes to minimise risk while also managing the IT capacity of the teams so that they can effectively deliver cybersecurity protocols and recovery plans.

“We urge all councils to prioritise preparation and testing of plans – this and other recent high-profile cases have shown that nobody is immune, but everyone can be prepared so disruption is minimised,” said the report. “Nobody reading this report should think that, because their IT setup differs from that of na h-Eileanan Siar, ‘it couldn’t happen to us’”.  

Recent data published by the NCSC shows that the number of "highly significant" cyberattacks in the UK rose by almost 50 per cent since 2024. The review outlines that these “highly significant” attacks are targeted to disrupt the workings of central government, the operations of essential services and significantly impact a large proportion of the population or economy.

“Comhairle nan Eilean Siar will review the findings of this report in detail and use the Commission’s recommendations to inform our ongoing work to improve cyber-security resilience and our business continuity protocols, which we are pleased to see the report recognise was a key part of our corporate response," said Burr.

"The report rightly recognises the significant risk of cyber-attacks. To allow local authorities to improve cyber security resilience and disaster recovery preparedness it is important that funding for local authorities keeps pace with necessary measures to combat malicious technology and techniques.”