Full Report
Glasgow City Council has warned of service disruption and potential data loss after a security incident
Analysis Summary
# Incident Report: Supply Chain Compromise Disrupts Glasgow Council Services
## Executive Summary
A security incident originating at a fourth-party supplier compromised the systems of Glasgow City Council's primary IT supplier, CGI, leading to significant disruption of numerous online public services, including planning applications, payments, and registrar services. The incident was discovered on June 19th, and the council immediately took potentially affected servers offline while launching a joint investigation with law enforcement and national cybersecurity agencies. The full extent of data exfiltration remains unconfirmed, but the council is proceeding under the presumption that customer data associated with affected web forms may have been compromised.
## Incident Details
- **Discovery Date:** June 19 (when CGI discovered malicious activity)
- **Incident Date:** Prior to June 19 (when malicious activity began on the supplier's servers)
- **Affected Organization:** Glasgow City Council
- **Sector:** Public Sector / Local Government
- **Geography:** Scotland, UK
## Timeline of Events
### Initial Access
- **Date/Time:** Early June (Implied, prior to June 19)
- **Vector:** Supply Chain compromise targeting a fourth-party supplier of CGI (the council's IT supplier).
- **Details:** Malicious activity was discovered on servers managed by the fourth-party supplier.
### Lateral Movement
- **Details:** The impact suggests the attackers leveraged access within the supply chain environment to potentially affect CGI's managed systems, subsequently impacting council services. (Specifics of internal movement are not detailed in the source).
### Data Exfiltration/Impact
- **Details:** Disruption to digital services occurred as a result of isolating potentially impacted servers. Services impacted include: viewing/commenting on planning applications, paying parking/bus lane contraventions, reporting school absences, ordering registrar certificates, viewing household bin schedules, and accessing the Strathclyde Pension Fund portal (SPFOnline). The council presumes customer data related to unavailable web forms may have been exfiltrated.
### Detection & Response
- **How it was discovered:** CGI, the council's IT supplier, discovered the malicious activity on June 19.
- **Response actions taken:** Potentially impacted servers were isolated, leading to service outages. The council initiated cooperation with Police Scotland, the Scottish Cyber Coordination Centre (SC3), and the National Cyber Security Centre (NCSC).
## Attack Methodology
Since the article focuses on the impact and response rather than deep forensics, the methodology is inferred based on the supply chain nature:
- **Initial Access:** Compromise of a sub-tier (fourth-party) vendor environment.
- **Persistence:** (Unknown/Inferred) Assumed attackers maintained access long enough to cause disruption and potential data theft.
- **Privilege Escalation:** (Unknown) Likely leveraged initial access to move into environments supporting Glasgow Council services.
- **Defense Evasion:** (Unknown) The breach occurred within a trusted supply chain environment, suggesting inherent trust was exploited.
- **Credential Access:** (Unknown) Presumed necessary to access and exfiltrate data from web form environments.
- **Discovery:** (Unknown) Attackers likely mapped the environment accessible via the supplier's infrastructure.
- **Lateral Movement:** Movement from the fourth-party environment to systems managed by CGI relevant to council services.
- **Collection:** Gathering of customer data linked to specific offline digital services (e.g., planning, payments).
- **Exfiltration:** Potential removal of customer data related to web form submissions.
- **Impact:** Service disruption due to containment via server isolation.
## Impact Assessment
- **Financial:** (Not disclosed)
- **Data Breach:** Potential compromise of customer data related to planning applications, penalty charges, school absence reports, and registrar certificates. Confirmation pending investigation.
- **Operational:** Significant disruption to essential digital services across the council, including payments, scheduling, and regulatory applications.
- **Reputational:** Negative impact due to the inability of citizens to access core online services.
## Indicators of Compromise
- **Network indicators:** (None explicitly listed, defanged)
- **File indicators:** (None explicitly listed)
- **Behavioral indicators:** Discovery of "malicious activity" on supplier servers.
## Response Actions
- **Containment measures:** Immediate isolation of potentially impacted servers managed by CGI.
- **Eradication steps:** (Not detailed, ongoing investigation)
- **Recovery actions:** Restoration of services pending security clearance (services remained offline at the time of reporting).
## Lessons Learned
- The incident highlights the significant risk inherent in reliance on complex, multi-tiered supply chains (fourth-party risk).
- Immediate isolation of affected segments, while necessary for containment, resulted in widespread service outages for the public.
- The reliance on external suppliers for core digital functions means an incident upstream immediately translates to downtime downstream.
## Recommendations
- Conduct immediate, thorough audits of security controls, data access permissions, and segmentation across all critical third-party and fourth-party vendors supplying services to the council.
- Implement strong Data Loss Prevention (DLP) monitoring across known high-risk extraction points (web service backends).
- Develop detailed, pre-tested Business Continuity Plans (BCPs) specifically addressing the failure of digital service providers to ensure critical services can maintain manual or alternative digital operation during a confirmed compromise.