Sepa data leaks as agency resists ransom demands

The Conti ransomware gang has published a number of files stolen from the Scottish Environment Protection Agency (Sepa) in an attack on Christmas Eve, as the agency continues to resist its demands to pay.

The attack saw the theft of 1.2GB of data contained in about 4,000 files. The material in question includes business information including regulated site permits, authorisations, enforcement notices, corporate planning and change programmes; procurement information such as publicly available procurement awards; project information relating to Sepa’s commercial work; and personal information on its staff.

The agency’s chief executive, Terry A’Hearn, said: “Supported by Scottish government, Police Scotland and the National Cyber Security Centre [NCSC], we continue to respond to what remains a significant and sophisticated cyber attack and a serious crime against Sepa.

“We’ve been clear that we won’t use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds.

“We have made our legal obligations and duty of care on the sensitive handling of data a high priority and, following Police Scotland advice, are confirming that data stolen has been illegally published online. We’re working quickly with multi-agency partners to recover and analyse data, then, as identifications are confirmed, contact and support affected organisations and individuals.”

Sepa said work was under way to analyse the gang’s data dump, but said it did not know, and possibly would never know, the full details of what was stolen. It has contacted affected staff based on the available information, has set up a dedicated data loss support website, and is providing police guidance and support to its business and supply chain partners.

It also said the bulk of its work, including priority regulatory, monitoring, flood forecasts and warning services, were adapting and operating at this time.

“Sadly, we’re not the first and won’t be the last national organisation targeted by likely international crime groups,” said A’Hearn. “We’ve said that while for the time being we’ve lost access to most of our systems, including things as basic as our email system, what we haven’t lost is our 1,200 expert staff.

“Through their knowledge, skills and experience, we’ve adapted and since day one continued to provide priority regulatory, monitoring, flood forecasting and warning services. While some systems and services may be badly affected for some time, step-by-step we’re working to assess and consider how we recover. We’ll issue a broader update on service delivery and recovery early next week, with weekly updates to be clear on what those we work with can expect and how we’ll prioritise progress.”

Detective inspector Michael McCullagh of Police Scotland’s Cybercrime Investigations Unit added: “This remains an ongoing investigation. Police Scotland is working closely with Sepa and our partners at Scottish government and the wider UK law enforcement community to investigate and provide support in response to this incident. Enquiries remain at an early stage and continue to progress including deployment of specialist cyber crime resources to support this response.”

Scottish Business Resilience Centre (SBRC) chief executive Jude McCorry said: “There are many ways, including ransomware, that a business can experience a cyber security incident, with varying levels of complexity and disruption. Cyber incidents can occur through deliberate targeting like we have seen with Sepa, or even human error. The end result is the same – a disruptive effect on business operations.

“At SBRC, we are working in partnership with Police Scotland and Scottish government running the UK’s first collaborative cyber incident response helpline for organisations in Scotland.”

The SBRC runs its own incident response helpline for victims in Scotland, which can be reached on 01786 437472, providing support and guidance, but in the first instance, targeted businesses should contact Police Scotland via the usual channels.

Stuart Reed, UK director of Orange Cyberdefense, said Sepa’s response to the incident so far had been exemplary, following the playbook established by Norwegian metals supplier Norsk Hydro, which set new standards in transparency when it was attacked in March 2019.

“Continuing an open dialogue with stakeholders in the coming days will rightly be a key priority,” he said. “However, now that the worst has happened and Sepa’s files are in the public domain, the organisation must focus on shoring up its defences and refreshing its cyber security practices.

“A well-handled breach is praiseworthy, but should hackers breach the organisation for a second time, the tide of public sentiment could turn against Sepa, particularly if any sensitive personal data became exposed. Adopting a layered approach to security, deploying well-trained people, refined processes and fit-for-purpose threat detection and response technologies, can hugely reduce the risk posed by malicious actors, while minimising the impact of a breach, should one occur.

“With these pillars in place, Sepa’s employees, partners and governing bodies can be confident that the organisation is fulfilling its obligations and duty of care.”