The full financial impact of a cyber attack on Scotland's environmental agency in 2020 is still not clear, according to the country’s central auditor.
Audit Scotland has raised the point in its 2020-21 audit of the Scottish Environment Protection Agency (SEPA), which suffered sophisticated ransomware attack on Christmas Eve.
The majority of its data was encrypted, stolen or deleted overnight - despite subsequent reviews finding that SEPA's cyber defences were good. Investigations have yet to determine the original source of the attack but a phishing email, and human error, is suspected.
The ransom was not paid and SEPA was able to keep delivering its key services, such as flood warnings, within 24hrs of the attack. But more than 12 months on, it is still rebuilding its digital infrastructure, the report says.
Accounting records had to be recreated from bank statements and HM Revenue and Customs records, leaving auditors unable to fully examine SEPA's finances, including £42 million of contract income.
SEPA’s management is also still trying to understand the full financial impact of the cyber attack, which has speeded up the building, or buying, of new systems and infrastructure. It is also addressing recommendations for further improvement made in independent reviews of the incident.
Auditor General for Scotland Stephen Boyle, said: This incident highlights how no organisation can fully defend itself against the threat of today's sophisticated cyber attacks. But it’s crucial that organisations are as well prepared as possible.
“SEPA was in a solid starting position but it will continue to feel the consequences of this attack for a while to come. Everyone in the public sector can, and should, learn from their experience.”