Two years have passed since a crippling ransomware assault struck Comhairle nan Eilean Siar, the council responsible for Scotland's Western Isles. Despite ongoing efforts, many critical systems have yet to be restored, with the incident illuminating the far-reaching implications of insufficient cybersecurity practices. The attack, which occurred in November 2023, has left the council struggling to recover essential operations that are vital to public service delivery.
"The prolonged outage demonstrates how ransomware attacks create lasting operational damage extending far beyond initial incident response," noted a report from Scotland's Accounts Commission. The local authority continues to grapple with the fallout, particularly concerning services related to housing benefits and council tax, which remain offline, two years post-incident. These functions are fundamental for the council’s financial sustainability, further complicating their recovery journey.
"The prolonged outage demonstrates how ransomware attacks create lasting operational damage extending far beyond initial incident response,"
Looking Ahead
As the council aims to regain lost ground, findings reveal that many cybersecurity enhancements initially recommended have yet to be implemented. By September 2025, only half of the ten recommended security improvements had been acted upon, raising alarm about the council's preparedness for potential future threats. "Weaknesses in IT infrastructure, governance, preparedness, and staff capacity were identified back in 2021/22 and had they been addressed sooner, the impact of the attack might have been reduced," the report emphasized.
"Weaknesses in IT infrastructure, governance, preparedness, and staff capacity were identified back in 2021/22 and had they been addressed sooner, the impact of the attack might have been reduced,"
Impact and Legacy
Significantly, the audit pointed out that critical cybersecurity measures were left unattended, including untested incident response strategies and inadequate staff training programs. This neglect not only hampered recovery from the initial attack but has also left the council exposed to the risk of subsequent cyber threats, a trepidation deeply rooted in long-standing resource issues.
At the time of the attack, several factors contributed to the council's heightened vulnerability. Vacancies within the IT department, such as the critical senior systems analyst position, exacerbated the situation. Moreover, the absence of ongoing cybersecurity training and overdue certifications left essential plans for incident responses and disaster recovery unformulated, ultimately crippling their readiness.
The report highlighted that many of the council's systems were hosted locally rather than in more secure cloud environments. Despite a partial move to cloud-hosted systems, the reliance on local servers meant that crucial data was more susceptible to the assault, leaving backups insufficient to cushion the blow. Though deemed adequate by many assessments, the actual security posture of the council emerged as tragically flawed in hindsight.
Impact and Legacy
Impact and Legacy
The human impact of the attack has been profound, stretching council staff to their limits. By April 2025, although all services were theoretically back online, the backlog resulting from the attack was staggering. "Comhairle nan Eilean Siar staff went above and beyond to mitigate the impacts on service users, suppliers, and the local community," said Jo Armstrong, Chair of the Accounts Commission. The intense pressure to recover has taken an emotional toll on employees, further exacerbated by manual processes that replaced lost digital systems.
"Comhairle nan Eilean Siar staff went above and beyond to mitigate the impacts on service users, suppliers, and the local community,"
Additionally, the financial setback from the incident is considerable. Direct costs stemming from the attack are estimated to be substantial, with the council facing challenges in completing their 2024 annual accounts due to lost data and delayed processes, leading to acknowledgments of ongoing gaps in financial reporting.
Looking Ahead
Looking forward, it is crucial for Comhairle nan Eilean Siar to prioritize the restoration of its systems alongside the implementation of recommended cybersecurity measures. The experience serves as a harsh reminder of the importance of proactive cybersecurity practices, especially for resource-constrained local authorities. As they rebuild, learning from these experiences will be vital in ensuring future resilience against cyber threats and the safeguarding of essential services for the community.