Full Report
The Glasgow City Council announced that it was affected by an incident “disrupting a number of online services and which may have involved the theft of customer data.”
Analysis Summary
# Incident Report: Glasgow City Council Cyber Incident
## Executive Summary
Glasgow City Council experienced a cyber incident announced on Wednesday, June 25th, 2025, which disrupted several online services. The incident was discovered by their IT supplier, CGI, on servers managed by a third-party supplier, leading the council to proactively take affected servers offline. The primary impact is the disruption of digital services and the *presumption* of customer data exfiltration related to unavailable web forms.
## Incident Details
- Discovery Date: Last week (prior to the June 25th announcement)
- Incident Date: Undisclosed, confirmed sometime prior to June 25th, 2025
- Affected Organization: Glasgow City Council
- Sector: Government/Municipal Services
- Geography: Glasgow, Scotland (UK)
## Timeline of Events
### Initial Access
- Date/Time: Undisclosed
- Vector: Unknown, but occurred on servers managed by a third-party supplier.
- Details: The mechanism of initial compromise is not detailed in the summary.
### Lateral Movement
- Details: Not specified in the provided information.
### Data Exfiltration/Impact
- Details: The council states they are "operating on the presumption that customer data related to the currently unavailable web forms may have been exfiltrated." Digital and online services have been disrupted due to servers being taken offline.
### Detection & Response
- Detection: Uncovered by the council’s IT supplier, CGI, on servers managed by a third-party supplier.
- Response Actions: Affected servers were taken offline to mitigate further disruption. Residents were advised to be cautious of unsolicited contact and to report suspicious activity to Police Scotland.
## Attack Methodology
- Initial Access: Unknown.
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Not specified.
- Collection: Data theft is presumed, specifically **customer data** related to unavailable web forms.
- Exfiltration: Presumed data theft occurred via the compromised third-party servers.
- Impact: Disruption of online/digital services and potential customer data loss.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Potential theft of **customer data** associated with web forms. Volume and type of data are unconfirmed.
- Operational: Disruption of "a number of online services" requiring affected servers to be taken offline.
- Reputational: Public announcement and issuance of cautions to residents regarding potential contact by malicious actors.
## Indicators of Compromise
- (No specific indicators like domains, hashes, or IP addresses were provided in the source material.)
## Response Actions
- Containment: Taking the affected servers offline.
- Eradication: Not specified.
- Recovery: Work underway to restore services (implied by the disruption announcement).
## Lessons Learned
- Critical dependency on third-party supplier security: The incident resided on servers managed by a third party, suggesting potential gaps in third-party risk management or network segmentation.
- Presumption of data loss: The need to immediately operate under the assumption that data has been compromised accelerates necessary reporting and remediation.
## Recommendations
- Conduct a full forensic investigation into the third-party supplier environment where the intrusion was first detected.
- Immediately implement robust data breach notification protocols concerning the potentially exfiltrated customer data.
- Review and enhance monitoring, segmentation, and access controls across all third-party managed infrastructure.