Ethical Hacking News
A two-year-old ransomware attack on Scotland's Comhairle nan Eilean Siar council has left a lasting impact on the authority's cybersecurity posture, highlighting the need for local authorities to prioritize their cybersecurity resilience and recovery capabilities.
The Comhairle nan Eilean Siar council's cybersecurity posture remains unaddressed after a devastating ransomware attack in November 2023. Several weaknesses in IT infrastructure, governance, preparedness, and staff capacity remain unaddressed despite an audit by Scotland's Accounts Commission. The council's backups were deemed inadequate to minimize the impact of a potential attack, and its overall cyber posture was still considered adequate at the time of the attack. Financial support has been provided by the Scottish government, but significant gaps in cybersecurity measures remain. The audit report highlights the need for local authorities to prioritize their cybersecurity posture and take proactive measures to address gaps in resilience and recovery capabilities.
The aftermath of a devastating ransomware attack that struck Scotland's Comhairle nan Eilean Siar council two years ago continues to reverberate, leaving behind a trail of unanswered questions about the authority's cybersecurity posture and its resilience in the face of increasingly sophisticated cyber threats. The incident, which occurred in November 2023, resulted in significant disruption to the council's operations, with several systems being reconstructed, and various gaps in its cybersecurity defenses remaining unaddressed.
The Comhairle nan Eilean Siar council, responsible for providing a range of essential services to the local community on the Isle of Lewis, was hit by the ransomware attack, which compromised critical infrastructure, including its finance department, housing benefits systems, council tax collection, and non-domestic rates. The attack also had a profound impact on the council's staff, with many employees working extended hours to mitigate the effects of the attack, leading to burnout and decreased morale.
An audit conducted by Scotland's Accounts Commission has found that despite the council's swift response to the attack, several weaknesses in its IT infrastructure, governance, preparedness, and staff capacity remain unaddressed. The audit report noted that only five out of ten recommended cybersecurity improvements were implemented at the time of the attack, with significant areas yet to be addressed, including testing staff training programs, testing the incident response plan, and meeting full compliance with the National Cyber Security Centre's (NCSC) security principles.
The Comhairle nan Eilean Siar council has been criticized for its failure to adequately address its cybersecurity posture in the aftermath of the attack. The audit report highlighted that the council's backups were not considered robust enough to minimize the impact of a potential attack, and its overall cyber posture was still deemed adequate at the time.
The Scottish government has already provided financial support to the council, with around £250,000 ($330,000) claimed from the government, in addition to an estimated £950,000 ($1.25 million) in direct costs related to the attack. The council continues to pursue an insurance payout to cover a larger share of the total outlay.
The audit report has also raised concerns about the Comhairle nan Eilean Siar council's ability to test its business continuity and incident response plans against scenarios as severe as the 2023 attack. The report noted that the council's response to the attack was "largely effective," but its continuity plans were not applied consistently across the organization and had not been adequately tested.
The Comhairle nan Eilean Siar council's experience serves as a cautionary tale for local authorities, highlighting the need for robust cybersecurity measures, regular testing of incident response plans, and adequate staffing to mitigate the impact of cyber attacks. The audit report emphasizes the importance of addressing these gaps to ensure that councils can better prepare for and respond to future cyber threats.
In an effort to improve its cybersecurity posture, the Comhairle nan Eilean Siar council has engaged with various organizations, including NCC Group, a UK-based cybersecurity firm, to help with remediation efforts. The council has also made progress in its recovery plan, but significant work remains to be done to address the weaknesses identified by the audit report.
The experience of Comhairle nan Eilean Siar council highlights the need for local authorities to prioritize their cybersecurity posture and take proactive measures to address gaps in their resilience and recovery capabilities. By doing so, councils can better protect themselves against cyber threats and ensure continuity of essential services.
Related Information:
https://www.ethicalhackingnews.com/articles/Awareness-Gaps-Persist-A-Two-Year-Old-Ransomware-Attack-on-Scotlands-Comhairle-nan-Eilean-Siar-Council-Lingers-Exposing-Resilience-and-Recovery-Challenges-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/11/27/western_isles_ransomware_council/
Published: Thu Nov 27 08:40:40 2025 by llama3.2 3B Q4_K_M
