Ministers refuse to release details of cyber attacks hitting Scottish public bodies once a month

Scottish public bodies have been hit by a cyber attack at a rate of one every month since the start of 2021, new figures suggest, but ministers say the public should not be told about the impact to services or budgets.

The figures come as critics call on the Scottish Government to proactively release a list of cyber attacks on public bodies to help public understanding.

They also called on ministers to ensure public bodies are given the resources needed to tackle cyber crime and to release details about the severity of any attacks suffered.

Hide Ad
Hide Ad

Ministers said the details of which public bodies were affected could not be released due to security concerns.

It comes a year and a half after the Scottish Environmental Protection Agency was crippled by a devastating cyber attack which saw huge swathes of data encrypted in December 2020.

Only in April did SEPA confirm it had completed recovery work following the attack at an overall cost of £5.5m to the taxpayer, £4.4m of which was specifically linked to the cost of fixing the damage from the attack.

Figures obtained by Scotland on Sunday state the Scottish Government was informed public bodies in Scotland were subject to 12 attacks in 2021, with a further two up until March 31.

The government is not a reporting body for cyber attacks, but public bodies are advised to notify the Scottish Government’s Cyber Resilience Unit under cyber incident procedure guidance.

Ministers have refused to say what impact cyber-attacks have had on Scottish political bodies.Ministers have refused to say what impact cyber-attacks have had on Scottish political bodies.
Ministers have refused to say what impact cyber-attacks have had on Scottish political bodies.

However, the Scottish Government said releasing details of how hard public bodies were hit by the cyber attacks, including any potential briefings or reports to ministers, would not be in the public interest.

It stated that releasing such information would “undermine the relationships” between the government and the public bodies.

It further claimed publishing any information would have “severe and adverse effects” on the conduct of public affairs, adding any publication of “confidential discussions” between public bodies and the government would make it “impossible” to support the organisations.

Hide Ad
Hide Ad

Ministers also claimed it would be too expensive to find out which public bodies are still recovering from the after-effects of a cyber attack.

Miles Briggs, the Scottish Conservative local government spokesperson, blamed the number of cyber attacks of cuts to the police budget.

He said: “It’s concerning that a significant number of attacks have been made on our public bodies, yet SNP ministers are not being upfront over what exactly occurred.

“I also recently discovered the number of cyber-attacks in general has hit a record high. It is clear SNP cuts to the police’s capital budget is having a real effect on stopping these crimes.

“The public need to see ministers give our officers and public bodies the resources they urgently need to tackle these attacks.”

Pauline McNeil, Labour’s justice spokesperson, added: “Twelve incidents of cyber attacks on public bodies and no damage reports supplied by the SNP.

“Our public bodies hold a great deal of personal, private, information on Scottish citizens. It is right that Scots are informed of the severity of these attacks, what action the government is taking to safeguard their data and the action it will take against the perpetrators.”

Scottish Liberal Democrat justice spokesperson, Liam McArthur, highlighted the SEPA attack as a cautionary tale and said it made “sense” for a list of incidents to be proactively published by the Scottish Government.

Hide Ad
Hide Ad

He said: “It would make sense for the Scottish Government to proactively publish a list of incidents so that the public have a clear idea of how frequently these incidents are occurring and where is being targeted.

"They also need to be investing in resilience so that government bodies are prepared to deal with these onslaughts."

The figures come a month after SEPA confirmed the cost of the cyber-attack it suffered in December 2020 was £5.5m, with just £1.1m being investment brought forward from future years.

The environmental protection body was targeted by “international serious and organised criminal” and saw swathes of data encrypted as part of a ransomware attack.

It added it was the “right thing to do” to speak openly about the attack.

A Scottish Government spokesperson said: “Since the start of 2021, 12 public sector cyber attacks have been notified to the Scottish Government, with the majority not being regarded as serious enough to require national coordinated support and for security reasons, we would not share the names of these bodies.

"We continue to work closely with Police Scotland and the National Cyber Security Centre (NCSC) to ensure Scotland is resilient to cyber threats.

“In the public sector, we have a cyber-incident notification process with Police Scotland and the NCSC to provide support and share threat intelligence, where required.”

Hide Ad
Hide Ad

SEPA said: “Following the significant and serious criminal cyber-attack in December 2020, SEPA made the decision to build back better from new rather than re-establish legacy systems.

“The cyber-attack was not a change opportunity SEPA would have wanted to face under such severe circumstances, but it is one the agency was determined to take.

“We continue to make strong progress with our recovery and security is an integral part of our new processes and systems to limit the impact of a future attack.”

Want to hear more from The Scotsman's politics team? Check out the latest episode of our political podcast, The Steamie.

It's available wherever you get your podcasts, including Apple Podcasts and Spotify.



Want to join the conversation? Please or to comment on this article.