Almost 60 per cent of Scottish councils and more than half of Scotland’s health boards have been targeted by cyber criminals since 2014, a Scotsman investigation has revealed.
Nine universities and numerous government bodies have also been hit during the last three years, the investigation found. Some local authorities reported being bombarded with thousands of spam emails and receiving ransom demands to decrypt data. Freedom of Information requests showed 19 of Scotland’s 32 councils experienced either attempted or successful attacks since 2014. Ransomware attacks were reported by 14 local authorities, sometimes on multiple occasions.
Four councils refused to reveal any information, with two fearing doing so would leave them vulnerable to future attacks. Of the incidents logged by 19 councils, only nine authorities reported any of them to police, although no data was stolen or lost. The investigation revealed Scottish local authorities were subject to more than 50 notable incidents in the past three financial years. Aberdeen City Council was one of the hardest hit. Between 2014 and 2017, it suffered 12 successful cyber attacks, including six ransomware incidents, and had its webpage defaced. It also recorded more than 15 million attempts, including intrusion threats, spam, web risks and viruses, in the last eight months of 2016.
Police were notified of two incidents. Highland Council reported being targeted 953 times, including two partially-successful ransomware attacks, while more than 415,000 unsuccessful spam emails were sent to East Lothian Council. Perth and Kinross Council reported blocking an average of 1.2 million spam emails every month. None of its three ransomware attacks were reported to any authority as it said “attacks were treated as business as usual and not significant enough to warrant reporting”. Falkirk, Glasgow City, North Ayrshire and Dumfries and Galloway councils refused to disclose any details.
Three ransomware hits got through Dundee City’s defences, North Lanarkshire Council had two malware incidents in 2015 and three ransomware in 2016 and Edinburgh City Council reported nine incidents, including malware preventing access to systems, a sustained denial of service (ddos) attack, and malware being installed and copied. A spokesman for local authority umbrella body Cosla said: “This is a fine balancing act for councils. “Scotland’s councils have good defences in place and as such are confident around them preventing it happening to us. That said, we are certainly not, and never will be complacent or think that this couldn’t happen to us. “We fully recognise how important our cyber security is and we are doing everything we can to safeguard councils against such attacks.“
The research, conducted together with The Scotsman’s sister titles in Johnston Press, found 11 of Scotland’s health boards were affected by the WannaCry attack in May which affected the NHS network across the UK. In addition, NHS Fife logged 693 attempted malware attacks in the past three years. It was also hit by three successful ransomware attacks which required PCs to be rebuilt. NHS Lanarkshire reported 51 attempted or successful attacks and NHS Greater Glasgow and Clyde was subject to four cyber breaches in 2016. Files became inaccessible after being encrypted by ransomware. However, data was recovered and the ransom was not paid.
NHS Ayrshire and Arran said it did not record attempts, but has one successful ransomware attack on a GP practice in 2015. In the past year, NHS Highland had one ransomware email that attacked a “small number of files”. No ransom was paid and no data was lost. NHS Tayside reported being bombarded with up to 7,000 attempts every month including ransomware. NHS Orkney refused to reveal the details, stating that disclosure could pose a risk to national security.
NHS Grampian did not respond, and NHS Lothian reported no cyber attacks had resulted in a breach of security. Dumfries and Galloway, Shetland and the Borders health boards said they had no attempted cyber attacks. No board reported losing data. Jann Gardner, director of planning and strategic partnerships with responsibility for IT at NHS Fife, said: “Of the 693 attempted malware attacks, only three affected small areas of our network, with swift action taken to contain and repair systems. “No patient data was lost or compromised.”
A Scottish Government spokesperson said: “Scotland’s public sector bodies take cyber security seriously and already implement a wide range of measures to ensure basic security standards are met. “The Scottish Government has committed to accelerating the development of a public sector action plan to help promote a common approach to cyber resilience across Scotland’s public bodies. “Ministers expect to receive recommendations from the National Cyber Resilience Leaders’ Board (NCRLB) shortly. “Following this, the Scottish Government will consult with Scottish public bodies on any implementation challenges before taking the plan forward. “The NCRLB’s recommendations are expected to have reference to the Cyber Essentials accreditation scheme, which is endorsed by the National Cyber Security Centre, and which helps protect organisations from the most common forms of cyber-attack. “The Cyber Essentials scheme is open to the public, private and third sectors, and offers a sound foundation of basic cyber security measures that all types of organisation can implement and potentially build upon.”
A spokesman for NHS Lanarkshire said that only the Wannacry incident was reported to the police as no data was lost or stolen in the other cases. A spokeswoman for Police Scotland said: “We always encourage anyone who thinks they’ve been a victim of cybercrime to come forward and report it to police.” Detective Inspector Eamonn Keane from Police Scotland’s cyber crime unit, added: “Cyber crime has witnessed significant growth. “The cyber threat to Scotland is indicative of that local, national and international threat applicable to all regions in the UK.”
l Reporting team: Deborah Punshon, Aasma Day, Cahal Milmo, Don Mort, Chris Burn, Ruby Kitchen, Paul Lynch, Oli Poole, Gavin Ledwith, Ben Fishwick and Philip Bradfield.
Author – JOHNSTON PRESS INVESTIGATIONS UNIT