Council's services 'still recovering' two years after cyber attack

Some council services in the Western Isles are still dealing with backlogs caused by a "sophisticated" cyber attack two years ago, according to a public spending watchdog.

Hackers installed malicious software when they gained access to Comhairle nan Eilean Siar's systems in November 2023.

The Accounts Commission said staff at the authority went "above and beyond" to act against the attack, but added that services were still recovering.

The watchdog said there were lessons to be learned for all of Scotland's councils, including the need to routinely test for a severe attack.

Malcolm Burr, the comhairle's chief executive, said the report had recognised the scale of the attack's impact, and employees' "excellent response".

In a new report, the Accounts Commission said a number of the comhairle's systems and back-ups were affected by the cyber attack.

Staff and islanders were unable to access a number of services, including those related to council tax, non-domestic rates and benefits.

After discovering the hack, the comhairle immediately put emergency arrangements in place.

The watchdog said it was a sophisticated attack and praised the local authority's "swift" response to it.

It added: "However, auditors have highlighted the pressures placed on many staff and we expect the comhairle to consider the lessons which could be learned in relation to communicating with and supporting staff during periods of high stress and increased workload related to significant events."

It later said: "Although the comhairle's response following the attack was largely effective, business continuity plans were not applied consistently, nor had they been tested with scenarios as severe as this one.

"As a matter of urgency, we expect thorough and routine testing of the comhairle's newly developed cyber incident response, disaster recovery, and business continuity plans."

The comhairle's chief executive Malcolm Burr said the report acknowledged the significant risk of cyber attacks to local authorities.

He said: "The report illustrates the scale of the cyber attack's impact and commends the excellent response of Comhairle nan Eilean Siar employees in continuing the operation of comhairle services."

Mr Burr said the comhairle would review the findings and use the commission's recommendations to inform its ongoing work to improve security.

Among the actions taken by the comhairle in the wake of the attack was using previous payroll records to make sure staff were paid.

Mobile phones also ensured communications were maintained with schools.

But the impact led to the comhairle having to build a new website and some bills, including council tax, were delayed.

Dealing with the cyber attack has cost the comhairle almost £1m.

Accounts Commission chairwoman Jo Armstrong said: "This cyber-attack shows how exposed local government is, and the urgent need to test resilience and recovery arrangements.

"Councils need to assume that it's a case of when, not if, they are attacked.

"A collective approach is needed to prepare councils for an increasingly digital future – they must collaborate, learn from each other and work closely with partners, including the Scottish government."