Thousands of stolen files from the Scottish Environment Protection Agency (SEPA) have been published online by hackers as a result of a ransomware attack.
In a statement, SEPA confirmed that it was responding to a “significant” ransomware attack on Christmas Eve, “likely to be by international serious and organised cyber-crime groups”.
According to the agency, around 1.2 GB of data was stolen, with at least 4,000 files accessed and then illegally published online.
Stolen information is thought to include business, procurement, project and staff data. SEPA said that it does not “yet know, and may never know” the details of the stolen data.
SEPA said that “recovery may take a significant period”, and that a number of systems will remain badly affected for some time.
A number of internal systems, including its email system, and external data products will remain offline in the short term, but the agency is able to continue to provide priority regulatory, monitoring, flood forecasting and warning services, it said.
According to the BBC, the attack has been claimed by the Conti ransomware group. SEPA has not paid the ransom demanded by the group.
SEPA chief executive Terry A’Hearn said: “We’ve been clear that we won’t use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds. “We have made our legal obligations and duty of care on the sensitive handling of data a high priority and, following Police Scotland advice, are confirming that data stolen has been illegally published online. We’re working quickly with multi-agency partners to recover and analyse data then, as identifications are confirmed, contact and support affected organisations and individuals.”
Jake Moore, cybersecurity specialist at ESET, said:
“Companies are often stuck between a rock and a hard place when it comes to ransomware demands, but it bodes well in the long run to stay firm and not pay. Being honest with customers and the public is a far better way out and it halts the funding of future cybercrime, which is not showing any signs of slowing down. By publishing the data on dark web forums it suggests the threat actors have tried all they can to make money from it. However, this may not halt other cybercriminals from trying their luck with the data should they be able to decrypt it.”