Supply Chain Incident Threatens Glasgow Council Services and Data Security

A security incident involving a fourth-party supplier has led to significant disruptions in online services and potential data breaches affecting Glasgow City Council. On June 19, CGI, the council’s primary IT supplier, identified malicious activity on servers controlled by an upstream supplier. In response, the council took swift action by isolating the affected servers, which subsequently resulted in service disruptions for residents.

The disrupted services include functionalities such as online viewing and commenting on planning applications, making payments for penalty charges related to parking or bus lane violations, reporting school absences, and ordering certificates from city registrars. Additionally, users of Strathclyde Pension Fund are currently unable to access the SPFOnline portal, and various online calendars and scheduling tools have also been rendered unavailable.

The council is working closely with Police Scotland, the Scottish Cyber Coordination Centre (SC3), and the National Cyber Security Centre (NCSC) to investigate the situation. At this time, there is no conclusive evidence regarding the removal of any data, although the council is operating under the assumption that customer data from the relevant online services may have been compromised. Consequently, they have promptly notified the Information Commissioner’s Office (ICO) about the potential data exfiltration.

In light of the ongoing investigation, the council advises the public to exercise caution in response to any unsolicited communications from individuals claiming to represent local officials. Anyone receiving such communications should reach out to Police Scotland for further assistance. Security specialists investigating the incident have confirmed that the breach did not originate from email channels, maintaining that email communication with the council remains secure. Citizens should nevertheless remain vigilant against phishing attempts, as the council will never request sensitive information like bank account details or passwords via email.

Fortunately, it appears that the attack has not impacted financial systems, and there is no indication that bank account or credit/debit card details have been compromised.

The specific services that have been impacted include:

• Access to online planning applications.
• Availability of penalty charge notices and related functions for evidence access, payments, or online appeals.
• Access to the SPFOnline portal for pension fund members.
• Online appointment bookings for registrars.
• Ability for citizens to schedule callback appointments for revenues and benefits inquiries.

Moreover, several online forms and calendars currently unavailable encompass:

• Permits
• Complaints
• Certificates (births, deaths, marriages)
• Comments and compliments
• Freedom of Information requests
• Applications for dropped kerbs
• Elections-related applications
• Public procession requests
• Sign language interpretation services
• Library services for filming location inquiries
• Reporting pupil absences
• Bin collection schedules
• Taxi complaint forms
• Council diaries

While the precise cause of the incident has not yet been determined, the rapid server isolation undertaken by the council, alongside the possibility of data theft, suggests that ransomware or a form of data extortion may be at play. Recent cybersecurity reports indicate that a significant percentage of UK ransomware victims experienced data encryption, with exploited vulnerabilities ranking as the leading cause of initial access. The average ransom demand has notably increased, and UK victims exhibit a higher propensity to comply with payment requests compared to their global counterparts.