HACKERS launched nine cyber attacks on Edinburgh City Council computers over the last three years, figures reveal.
Cases included targeted malware – software specifically designed to disrupt or damage systems – and computers bombarded with data to collapse networks.
The attempts are disclosed on the second day of a special investigation into cyber security. A City of Edinburgh Council spokeswoman said: “The ongoing security of the council’s website is critically important.
“We are extremely vigilant and are continually implementing security measures to ensure the integrity of stored data. Our IT staff also continue to work with our service providers to ensure that any risks associated with cyber attacks are dealt with swiftly and robustly.”
All nine cases came in the 18 months occurred between November 2014 and April 2016 – with details released under Freedom of Information laws.
The biggest single attack saw 13,000 email addresses stolen from the council’s website in a so-called “SQL injection attack”.
Hackers post malignant code in data entry fields before extracting the database contents – in this case, email addresses.
Malware got through council computer defences in November 2014, February 2015 – when access to council systems was blocked – and again in November 2015.
In December 2015, two unnamed council systems were hit by a distributed denial of service attack. Such a case sees incoming traffic flooding computers from multiple sources – potentially hundreds of thousands or more.
This effectively makes it impossible to stop the attack simply by blocking a single web address.
It also makes it very difficult to distinguish legitimate user traffic from attack traffic when coming from so many sources.
There were four attacks on council systems in the three months from February to April last year alone – including one in which a health centre system was “compromised”.
Details of who launched the attacks and any motives were not included in information released by the council.
Nationally, nearly two-thirds (60 per cent) of Scottish councils and more than half of health boards logged attempted or successful cyber attacks in the past three years.
Only half of local authorities reported incidents to the police, while attacks are routinely treated as “business as usual”.
Ransomware – both attempted and successful – was among the most common type of attack experienced by public bodies.
This sees authorities bombarded with thousands of spam emails and receiving ransom demands to decrypt data.
Freedom of Information requests showed 19 of Scotland’s 32 councils experienced either attempted or successful attacks since 2014.
Ransomware attacks were reported by 14 local authorities, sometimes on multiple occasions. Four councils refused to reveal any information, with two fearing doing so would leave them vulnerable to future attacks. More than half of Scotland’s health boards have been targeted by cyber criminals since 2014.
Research by the Johnston Press Investigations Unit has revealed that, apart from the WannaCry attack in May, none of the incidents were reported to Police Scotland despite at least nine successfully breaching systems.
Eleven of Scotland’s health boards were affected by WannaCry which affected the NHS network across the UK.
Bosses at NHS Lothian reported no cyber attacks resulting in a breach of security.
Some of Scotland’s top universities have fended off a barrage of cyber attacks in the past three years. Nine institutions reported cyber incidents including ransomware, phishing and malware.
Musselburgh’s Queen Margaret University reported no attempted or successful attempts while Edinburgh and Napier refused to disclose any details, with some arguing disclosure would compromise security.
In the past three years, Scottish Agricultural Scientific Agency (SASA), About Scotland, the National Records of Scotland, and the Student Awards Agency Scotland all had their systems breached by cyber attacks.
The National Records of Scotland was forced to close its on-site Scotland’s People family history service for two weeks in early 2016 due to a ransomware attack, while SASA had its website defaced to feature links to advertising malware before it was taken offline.
A Scottish Government spokesperson said public sector bodies take cyber security “seriously” with an action plan being developed by the National Cyber Resilience Leaders’ Board (NCRLB).
“The NCRLB’s recommendations are expected to have reference to the Cyber Essentials accreditation scheme, which is endorsed by the National Cyber Security Centre (NCSC), and which helps protect organisations from the most common forms of cyber-attack,” added the spokesperson. “The Cyber Essentials scheme is open to the public, private and third sectors, and offers a sound foundation of basic cyber security measures that all types of organisation can implement and potentially build upon.”
A spokeswoman for Police Scotland said: “We always encourage anyone who thinks they’ve been a victim of cybercrime to come forward and report it to police.”
The JP investigations team are: Aasma Day, Cahal Milmo, Don Mort, Chris Burn, Ruby Kitchen, Paul Lynch, Oli Poole, Gavin Ledwith, Ben Fishwick, Philip Bradfield and Deborah Punshon