Scottish EPA Suffers Breach and Disclosure of 4,000 Stolen Files
In the follow up to the Christmas Eve attack that left the Scottish Environmental Protection Agency with encrypted files, the attackers have now released the 4,000 files they intended to hold for ransom. The files include contracts and strategy documents.
After the initial Christmas Eve breach, attackers were able to encrypt much of the SEPA’s files. The attack also affected the SEPA’s email system, which remains offline. SEPA has responded by declaring that they will not “engage” with the attackers and no public funds would be used to pay the ransom. This news likely led to the disclosure of the stolen documents.
The agency is charged with protecting Scotland’s environment via national flood forecasting, flood warnings and more. As such, the stolen data included various information related to environmental businesses – including publicly-available regulated site permits, authorizations, and enforcement notices, as well as data related to SEPA corporate plans, priorities and change programs. Other compromised data was related to publicly available procurement awards and commercial work with SEPA’s international partners. Also stolen was the personal data of SEPA’s staff.
SEPA has stated it may never know the full extent of all the files stolen. Some of the compromised information was already publicly available while most was not. SEPA’s email and other systems remain down, and “it is now clear is that with infected systems isolated, recovery may take a significant period,” according to the agency in its update. “A number of SEPA systems will remain badly affected for some time, with new systems required.”
It’s still unclear how the attackers managed to breach SEPA’s systems or how much they are demanding in terms of ransom. The attackers have claimed that the stolen data has been posted to underground forums, with one report stating that over 1,000 people so far have accessed and read the stolen information.
This attack and subsequent data leak are part of a growing trend in which hackers release the stolen data for public use rather than destroying it. This means that a robust backup plan is no longer good enough to protect yourself and your company from ransomware attacks.
The Conti ransomware gang has since claimed responsibility for the attack.
Sources: