Full Report
Audit sympathetic toward Comhairle nan Eilean Siar as staff stretched to capacity trying to recover Auditors remain concerned about the cyber resilience of a Scottish council as some systems are yet to be fully rebuilt following a ransomware attack in November 2023.…
Analysis Summary
# Incident Report: Comhairle nan Eilean Siar Ransomware Attack (Nov 2023)
## Executive Summary
In November 2023, the Comhairle nan Eilean Siar (a Scottish council) suffered a significant ransomware attack that led to the failure and destruction of several critical IT systems, particularly within the finance department. While the initial response was largely effective, recovery has been slow, with key systems (like those for housing benefits and council tax) remaining unrebuilt as of late 2025 due to data volume and capacity issues. The incident highlighted significant pre-existing weaknesses in cyber resilience, preparedness, and staff capacity, leading to ongoing operational backlogs and an estimated £950,000 in direct costs.
## Incident Details
- **Discovery Date:** Unknown (Implied shortly after November 2023)
- **Incident Date:** November 2023
- **Affected Organization:** Comhairle nan Eilean Siar
- **Sector:** Local Government/Public Administration
- **Geography:** Western Isles, Scotland
## Timeline of Events
### Initial Access
- **Date/Time:** November 2023
- **Vector:** Not explicitly detailed in the provided text, but the attack leveraged pre-existing weaknesses in IT infrastructure and governance.
- **Details:** The attack successfully compromised numerous locally hosted systems (excluding cloud-hosted services).
### Lateral Movement
- **Details:** Implied movement occurred across the network, locking staff out of substantial data sets and rendering multiple systems inaccessible or destroyed.
### Data Exfiltration/Impact
- **Impact Details:** Systems for housing benefits, council tax, and non-domestic rates were severely impacted or destroyed. Some data was confirmed as permanently lost. The council could not publish its 2024 annual accounts on time.
### Detection & Response
- **Detection:** Not explicitly stated when detected, but the organization quickly escalated the incident to the central Scottish government and the NCSC.
- **Response Actions:** Followed the business continuity plan (though untested for this severity). Payroll functionality (ResourceLink system) was restored by the end of the month. Engaged third parties, including NCC Group, for remediation.
## Attack Methodology
The specific TTPs used by the ransomware actor are not detailed, but the impact suggests typical ransomware activities.
- **Initial Access:** Unknown.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown, but internal weaknesses were exploited.
- **Lateral Movement:** Extensive, affecting most systems due to local hosting.
- **Collection:** Data theft/locking occurred, leading to data loss.
- **Exfiltration:** Likely occurred prior to encryption/destruction, though not confirmed.
- **Impact:** System encryption/destruction and data loss, requiring manual data reconstruction for essential functions like annual reporting.
## Impact Assessment
- **Financial:** Estimated direct costs of £950,000 ($1.25 million), covering consultancy fees, cloud setup, and ongoing charges. Insurance payout still pending.
- **Data Breach:** Significant data loss confirmed across critical service databases. Data gaps existed even after manual reconstruction for 2024 accounts.
- **Operational:** Severe disruption requiring two years of recovery efforts (as of late 2025). Manual processes replaced digital alternatives, significantly increasing staff workload and causing backlogs across departments expected to affect operations for months/years. Payroll remained functional, a critical success.
- **Reputational:** Subjected to public audit scrutiny regarding cyber resilience and recovery timelines.
## Indicators of Compromise
*Indicators of Compromise (IOCs) were not provided in the source material.*
## Response Actions
- **Containment:** Prompt reporting and escalation to NCSC/Government bodies.
- **Eradication:** Remediation efforts undertaken with external consultants (e.g., NCC Group).
- **Recovery:** Focused on rebuilding essential databases and slowly restoring services. As of April 2025, all services were operational, but backlogs persisted. Two years post-attack, some critical systems remained unrebuilt.
## Lessons Learned
- **Pre-existing Deficiencies:** Confirmed weaknesses in IT infrastructure, governance, and preparedness (identified as early as 2021/22) likely exacerbated the attack's impact.
- **Backup Robustness:** Council backups were not considered robust enough to minimize the attack's impact sufficiently.
- **Incident Planning:** While a response plan existed, continuity plans were not applied consistently or adequately stress-tested against a severe event like the 2023 ransomware attack.
- **Staff Capacity:** The attack severely stretched IT and administrative staff capacity due to manual workload increases. Staff support and communication during crises were identified as an area needing improvement.
- **Remediation Stagnation:** As of September 2025, only 5 out of 10 recommended cybersecurity improvements had been implemented.
## Recommendations (Based on Audit Findings)
- Set realistic and achievable timelines for all agreed audit recommendations to improve monitoring by elected members.
- Urgently test updated business continuity and incident response plans against scenarios as severe as the 2023 attack.
- Address pre-existing infrastructure and governance weaknesses, particularly regarding locally hosted systems.
- Improve staff communication and support mechanisms during significant recovery events to mitigate stress and workload impacts.