SCOTLAND'S public bodies and educational institutions have been hit by dozens of cyber attacks in the last three years, figures show.
The Scottish Government said it has been notified of 27 separate attacks since a reporting system was launched in December 2017.
Scotland's environmental watchdog previously said it could take more than a year to fully recover from a devastating attack it suffered on Christmas Eve.
The Scottish Environment Protection Agency (Sepa) had thousands of digital files stolen by hackers, which were then published on the internet.
The public body spent nearly £800,000 responding to the incident.
Scottish Tory MSP Tess White said the public would be "alarmed" at the latest figures.
She said: “There is absolutely no room for complacency on this issue from the Scottish Government.
"The public will be alarmed that such a significant number of cyber-attacks have taken place against public bodies in recent years.
“The SNP-Green Government must ensure that every robust measure is in place going forward to ensure key infrastructure systems are safe from skilled hackers.”
The figures were published following a written question submitted by Ms White in Holyrood.
She asked the Scottish Government, in light of the cyber attack on Sepa in December 2020, whether it was aware of any other cyber attacks on public bodies in the last three years.
In response, Deputy First Minister John Swinney said the Government "works closely with Scottish public sector bodies in improving their cyber resilience capabilities".
He said: "As a consequence of this work, in December 2017, we introduced a reporting system for public sector bodies to notify the Scottish Government, Police Scotland and the National Cyber Security Centre of serious cyber incidents with the purpose of providing as much support to those affected as quickly as possible.
"During the last three years we have been notified of 27 separate attacks, some of which have been in the public sector or educational institutions."
Asked by The Herald, the Government said it could not disclose which public bodies were affected by the attacks.
A spokesman said: “In the last three years we have been informed of 27 public sector cyber security incidents with the majority not being regarded as serious enough to require national coordinated support.
"We continue to work closely with Police Scotland and the National Cyber Security Centre to ensure Scotland is resilient to cyber threats.
“In the public sector, we have a cyber-incident notification process with Police Scotland and the NCSC to provide support and share threat intelligence, where required.”
Terry A'Hearn, chief executive of Sepa, previously told the BBC it is now building a new IT system from scratch.
He said: "As the police have said, Sepa isn't an organisation that was poorly protected.
"We were accredited to the government standard, and we'd actually taken extra steps beyond that to put some protections in."
He added: "We had reform aims anyway, so we were going to build a new IT system progressively over five or six years.
"This is an opportunity we didn't want provided by criminals, but we've decided to fast-track that and will build that in one or two years rather than five or six years."
Mr A'Hearn said the cyber attack on Sepa was so severe it no longer knew who it employed.
He told the BBC: "I said to our chief financial officer – we normally pay around the end of the month – and I said have we paid people?
"And he said we always bring the payment forward before Christmas so we have.
"And I said, so we've got a month to work out how to pay people in January, and someone said well, we've got a month to work out who works for us."
Sepa refused to pay a ransom and more than 4,000 stolen files were published online.
A Police Scotland investigation into the attack is ongoing.
Detective Inspector Michael McCullagh previously said: "The actions of the criminals behind this crime show a blatant disregard for public safety, evident in this sickening attack on an organisation like Sepa.
"This type of crime and its impacts can be significant.
"I would urge caution in the viewing and downloading of any data published by cyber criminals.
"The likelihood of those files being infected and making you their next victim is high."
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel