Supply Chain Incident Imperils Glasgow Council Services and Data – Source: www.infosecurity-magazine.com

A security incident at a fourth-party supplier earlier this month has led to online service disruption and potential customer data theft, Glasgow City Council has warned.

On June 19, the council’s IT supplier CGI discovered malicious activity on servers managed by one of its own suppliers. The council said it has isolated any potentially impacted servers as a result, leading to the disruption of digital services for locals.

“This includes viewing and commenting on planning applications; paying penalty charges for parking or bus lane contraventions; reporting school absences, and ordering certificates from city registrars,” it explained.

“Some online diaries and calendars are not available – for example, household schedules for bin collections. Members of Strathclyde Pension Fund are not currently able to access the SPFOnline portal.”

Read more on local authority breaches: Personal Data of Oxford City Council Officers Exposed

The council is currently cooperating with Police Scotland, the Scottish Cyber Coordination Centre (SC3) and the National Cyber Security Centre (NCSC) to investigate the incident.

“At this stage we can’t confirm whether data has actually been removed and, if so, what that data is,” it said.

“As a precaution, we are operating on the presumption that customer data related to the currently unavailable web forms may have been exfiltrated, and we have contacted the Information Commissioner’s Office (ICO) on this basis.”

Council Urges Caution

Until it has worked out whether data was stolen or not, the council is urging citizens to be cautious if they receive emails, texts or phone calls from any individuals claiming to be local officials.

Anyone contacted by someone claiming to have their data is asked to contact Police Scotland on 101.

“Security specialists reviewing this incident have confirmed that it was not caused by email,” the council revealed.

“Email communication with the council remains safe – although, as always, you should be suspicious of any email which asks you to provide bank account details, passwords or other secure information. The council will never ask you for details like that by email.”

Fortunately, no finance systems have been impacted by the attack and Glasgow City Council claimed no bank account or credit/debit card details have been compromised. 

The full list of impacted services is as follows:

• Planning – online access to planning applications is unavailable
• Penalty charge notices – citizens are unable to access contravention evidence, make payments or submit online appeals
• Pensions – members are unable to access the SPFOnline portal
• Registrars – citizens are unable to book appointments online
• Revenues and benefits – citizens are unable to book callback appointments online

The following online forms and calendars are also unavailable:

• Permits
• Complaints
• Certificates (births, deaths, marriages)
• Comments and compliments
• FOI requests
• Application for footway crossing (dropped kerbs)
• Elections
• Planning enforcement
• Planning statutory enforcement
• Public processions
• Future processions
• Sign language interpreter service (SLIS)
• Glasgow Film Office location library
• Pupil absence
• Bin calendar
• Taxi complaints form
• Council diary

Although the council has yet to specify what the cause of the incident may be, its speed in isolating servers and the potential for data theft point to ransomware or some form of data extortion.

Some 70% of UK ransomware victims last year had data encrypted – well above the global average – with exploited vulnerabilities the number one cause of initial access, according to a Sophos report published this week.

The average ransom demand more than doubled annually in 2024, with British victims more likely to pay than their global peers.