[BreachExchange] Pollution data permanently lost because of cyber attack

[Terrell Byrd]

https://theferret.scot/pollution-data-lost-cyber-attack/

Information on thousands of environmental checks and pollution breaches
over 15 months has been permanently lost because of a cyber attack,
according to the Scottish Government’s green watchdog.

The Scottish Environment Protection Agency (Sepa) has admitted that it
cannot recover information from its national monitoring, compliance and
enforcement databases in 2019 and 2020 because “information no longer
exists”.

Sepa also disclosed that data on inspections and enforcement actions
against polluters had been lost from staff computers.

Campaigners warned that Scotland’s environment is now suffering because
Sepa is “completely gutted, destroyed and incapable of functioning”. They
have called for Scottish ministers to take action to ensure the environment
is protected.

One former Sepa boss described the lost databases as a “disaster”,
suggesting that “chancers and criminals” could have been given “a free
pass”. Large parts of Sepa’s work had been “undoubtedly crippled”, said an
expert.

Sepa stressed that recovering from organised cyber crime was “challenging
and complex”. It said it was “confident that we’ll recover the most
important environmental data”.


The revelations come in the wake of a report by Audit Scotland on 1
February saying that the cyber attack meant £42 million of Sepa’s income
couldn’t be verified. Sepa also had to write off £2 million in fees due to
lost records.

The attack against Sepa’s computers was launched on Christmas Eve 2020 by
an international criminal gang known as Conti, which has reportedly
attacked more than 400 organisations worldwide. It demanded a ransom, which
Sepa refused to pay.

“The majority of Sepa’s data was encrypted, stolen or lost,” concluded
Audit Scotland. “The sophisticated nature of the attack meant that online
backups were targeted and corrupted at an early stage.”

The extent of the damage done to Sepa’s environmental information systems
has been revealed in a report seen by The Ferret. It was released by Sepa
in January in response to a request under freedom of information (FoI) law.

The report said that Sepa had been unable to retrieve information from
three of its major databases between October 2019 and December 2020. These
were the national environmental monitoring system, the compliance
assessment scheme and the enforcement tracking database.

Together these contained many thousands of measurements of air, water and
land pollution across Scotland, as well as details of pollution breaches at
hundreds of industrial sites. They included data on the contamination of
rivers, lochs and bathing waters.

The lost databases would also have had unknown numbers of records of
pollution incidents and of enforcement actions taken against polluters.
“Information no longer exists due to circumstances outside Sepa control,”
said Sepa’s FoI response.

“Although this information was held at the time of the request (18 November
2020), it is no longer held and Sepa cannot provide it.” Sepa was able to
recover and provide information from the databases from before October 2019.

According to Sepa, the “U-drives” from staff’s individual computers, which
contained information on inspections and enforcement actions against
polluters, were also unrecoverable. Sepa employs 1,268 people.

In addition Sepa has been unable to access printed records in its office in
Fort William because “the effects of water ingress in March 2021 renders it
inaccessible at this time”.

Sepa has so far failed to publish any results from its compliance
assessment scheme for 2019, 2020 or 2021. This previously reported on the
environmental performances of over 5,000 sites every year, including
factories, waste plants, fish and land farms.


The Scottish Pollution Release Inventory has also disappeared from Sepa’s
website. It was meant to provide detailed information on emissions to air
and water of some 80 pollutants from more than a thousand sites, including
big climate polluters.

The Ferret reported in May 2021 that Sepa was struggling to process
thousands of pollution permits, planning applications and waste licences.
It had not been able to receive air and water pollution returns from
companies, handle reservoir and other registrations, nor provide
information on the past state of Scotland’s rivers.

Sepa admitted at the time that its systems had been “badly affected” and
there “may be a risk” to the environment if it failed to quickly restore
services.

Sepa’s report on database losses was obtained by the fish farming
campaigner, Corin Smith. He asked for details of inspections and
enforcement actions at some of Scotland’s 200 plus salmon farms.

Because Sepa had lost records since October 2019 some salmon farmers could
escape enforcement action, he argued. “This will undoubtedly result in
chemicals and salmon feedlot sewage going into our seas unchecked and
damage being done,” he said.

“We have a national environmental protection agency, which by its own lack
of competency and preparedness, finds itself completely gutted, destroyed
and incapable of functioning.”

Smith attacked the Scottish Government for being “two-faced” on
environmental protection, and demanded action from ministers. “By any
reasonable assessment, Sepa is now an environmental protection agency in
name only,” he added.

Professor Campbell Gemmell, who was chief executive of Sepa from from 2003
to 2012, characterised the lost databases as a “disaster” and a “shambles”
that made him “angry and sad”. The cyber attack was “despicable and
criminal” but the failures that allowed it to occur were “systemic”, he
argued.

“It’s hard to see how the agency can do its job or indeed recover its
reputation from this position. It seems like time to stop and start again,”
Gemmell told The Ferret.

“I hope, despite a focus on centralised electronic systems, that some had
the wisdom to keep paper records. Otherwise, too many careless operators as
well as the chancers and criminals out there have simply been given a free
pass.”

According to Professor Andrew Watterson, an expert on environmental
regulation from the University of Stirling, it was “a matter of profound
concern” that so much information had been lost. “This has undoubtedly
crippled large parts of Sepa’s work,” he said.

“It must make it impossible for the agency itself to function effectively
and, also very important, for those outwith Sepa to find out how, for
example, fish farm companies have been complying with environmental
regulations and inspections.”

Friends of the Earth Scotland described the cyber attack as “devastating”
and called for “lessons to be learned” across the public sector. “Data
which might have resulted in action against polluting companies is gone
forever,” said the environmental group’s director, Dr Richard Dixon.

“It is a virtual certainty that the Scottish environment is in a worse
state today because of the cyber attack, and this will be as frustrating
for Sepa staff as it is for groups like ours.”

We’re not rebuilding what we had. We’re building better, more accessible
systems for the future.

Jo Green, Scottish Environment Protection Agency
The Scottish Environment Protection Agency accepted that it hadn’t been
able to recover all “significant” data. “We remain confident that we’ll
recover the most important environmental data, with good progress being
made on significant data sets,” said acting chief executive, Jo Green.

“We’re not rebuilding what we had. We’re building better, more accessible
systems for the future which allow direct public interrogation of more of
the information we hold.”

Green stressed that Sepa had been able to reinstate many of its vital
services. “Make no mistake, recovering from serious and significant
internationally organised cyber-crime is challenging and complex,” she
added.

“Audit Scotland made clear that no organisation can fully defend itself
against the threat of today’s sophisticated cyber attacks and that Sepa was
on a solid starting position. This reflected the findings of a series of
independent audits commissioned and published by Sepa to share our
learnings widely.”

Green agreed with the auditor that “recovery will take time”. But she
argued that across the 14 months since the attack had taken place Sepa was
“recovering”.

She continued: “We’ve been open and transparent about our readiness,
resilience, response and recovery, publishing clear service status updates.
Whilst we know there’s more to do, it’s important to recognise that
colleagues working across Scotland have achieved a lot.”

Green has replaced Sepa’s former chief executive, Terry A’Hearn, who
resigned suddenly on 21 January after unspecified “conduct allegations”.

The Scottish Government said it was working closely with Sepa to mitigate
risks. “It is deeply regrettable that information was lost as a result of
the cyber attack, which caused considerable disruption,” a spokesperson
added.

“Sepa has worked hard to recover and to make sure the impact on their
services was minimised. This includes vital work on flood avoidance,
protection and warning services, helping Scotland respond to serious
storms, and tackling serious and organised waste crime.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220207/82375ff2/attachment.html>