Article Details

Scottish council still rebuilding systems two years after ransomware attack. Audit sympathetic toward Comhairle nan Eilean Siar as staff stretched to capacity trying to recover. Auditors remain concerned about the cyber resilience of a Scottish council as some systems are yet to be fully rebuilt following a ransomware attack in November 2023. The ransomware attack on Comhairle nan Eilean Siar, in Scotland's Western Isles, required "several" of its systems to be reconstructed, among other damage – especially to the authority's finance department. Systems for housing benefits, council tax, and non-domestic rates remain unrestored, with their large data volumes slowing the digital renovation, the audit noted. A report [PDF] on the attack, published by Scotland's Accounts Commission today, commended the Comhairle's swift response to the attack, but highlights various gaps that remain in its cybersecurity defenses. In addition to systems destroyed by the attack that still have not been rebuilt two years later, some of the key recommended cybersecurity improvements made at the time have also yet to be implemented. As of September 2025, the audit notes that only five of the ten recommendations were put in place. The most significant areas yet to be addressed include testing staff training programs, testing the incident response plan, and meeting full compliance with the NCSC's security principles. The audit report states: "Weaknesses in IT infrastructure, governance, preparedness, and staff capacity were identified back in 2021/22 and had they been addressed sooner, the impact of the attack might have been reduced. "As a matter of priority, realistic and achievable timelines should be set for all agreed audit recommendations which will support elected members to monitor delivery more effectively and focus on mitigating risks. This is important for any agreed recommendations in all councils." Among the various weaknesses identified were the locally hosted nature of many systems. Other than the cloud-hosted M365, most were affected by the attack. The council's backups were also not considered robust enough to minimize the impact of a potential attack, but together with the audit's perceived on-prem vulnerabilities, its overall cyber posture was still considered adequate at the time. The Accounts Commission says that, as a matter of urgency, the Comhairle council must test its updated business continuity and incident response plans against scenarios as severe as the 2023 attack. It notes that the Comhairle's response to the attack "was largely effective," but the continuity plans were not applied consistently across the organization and had not been adequately tested. Jo Armstrong, Chair of the Accounts Commission, said in a statement: "This cyberattack shows how exposed local government is, and the urgent need to test resilience and recovery arrangements. Councils need to assume that it's a case of when, not if, they are attacked. A collective approach is needed to prepare councils for an increasingly digital future – they must collaborate, learn from each other, and work closely with partners, including the Scottish Government. "Comhairle nan Eilean Siar staff went above and beyond to mitigate the impacts on service users, suppliers, and the local community. This increased pressure on staff as they took on additional work, alongside dealing with day-to-day responsibilities. We want the council to take action to improve how they communicate and support staff during significant events that could increase workload and stress." Staffing shortfalls Finding the right talent to fill vacant cybersecurity roles is a longstanding challenge for all types of organization, but this is especially true for cash-strapped local authorities, particularly those located away from the mainland. At the time of the Comhairle's ransomware attack, the audit notes that five out of the total 17 IT positions at the council were vacant, including that of a senior systems analyst, and the biennial cybersecurity training for wider staff members had lapsed. Further, its IT Health Check was overdue, and the council's Public Sector Network (PSN) certification had expired for 2022/23. It was not renewed at the time of the attack, when Comhairle also lacked an incident response and disaster recovery plan. Staff have worked for the past two years to bring council services back online. As of April 2025, all services were operational, although the authority's departments are all tasked with handling a backlog of work caused by the attack, which remains to be cleared. The vast majority of this work pertains to rebuilding databases. The ransomware attack locked staff out of much of the data and some was rendered permanently lost. As a result, the council could not publish 2024 annual accounts on time. Council employees had to piece together what data they could from disparate sources to file those accounts six months late, and it still acknowledged that there would be gaps in the data. Overall, direct costs related to the attack stand at an estimated £950,000 ($1.25 million). Around £250,000 ($330,000) was claimed from the Scottish government, and the council continues to pursue an insurance payout to cover a larger share of the total outlay. These costs primarily relate to consultancy fees, cloud setup costs, and ongoing charges for cloud-based systems. The audit notes that Comhairle incurred many more indirect costs, such as those related to missed growth opportunities while instructing staff to focus on rebuilding databases. The volume of work handled by staff increased significantly post-attack, as manual processes replaced the inaccessible digital alternatives, and this stretched individuals to capacity. This increased workload is expected to affect operations for months or years to come, and has dented staff morale, the audit notes. The Comhairle's response The Accounts Commission commended the authority for an appropriate response given its resources at the time. The council escalated the case to organizations like the central Scottish government and the NCSC, and followed it business continuity plan, even though it wasn't properly stress-tested for a scenario as serious as the ransomware attack it faced. It also quickly identified that its HR/payroll system, ResourceLink, was the most critical system rendered inaccessible, and it worked quickly to restore functionality. Payroll was restored by the end of the month, so staff did not miss a paycheck, and partial functionality was achieved by mid-December. The authority engaged the right regulators and third parties, like UK cybersecurity biz NCC Group, to help with remediation efforts, and has made some progress in its recovery plan.