Two Years After Ransomware Attack, Scottish Council Still Rebuilding Systems
A Scottish council remains unable to fully restore critical systems two years after a devastating ransomware attack, highlighting the long-term consequences of inadequate cybersecurity preparation and the challenges facing resource-constrained local authorities.
Comhairle nan Eilean Siar, serving Scotland's Western Isles, suffered a ransomware attack in November 2023 that required extensive system reconstruction. According to a report published by Scotland's Accounts Commission, several systems remain unrestored even now, with large data volumes slowing the digital recovery process.
The Systems Still Down
Systems for housing benefits, council tax, and non-domestic rates remain offline two years after the attack. These revenue-critical functions represent essential services that councils depend upon for both public service delivery and financial sustainability.
The prolonged outage demonstrates how ransomware attacks create lasting operational damage extending far beyond initial incident response. Whilst the council has worked continuously toward recovery, the sheer volume of data requiring reconstruction has made full restoration a multi-year challenge.
Incomplete Security Improvements
Perhaps more concerning than the systems still offline are the cybersecurity improvements that remain unimplemented. The audit notes that as of September 2025, only five of ten recommended security enhancements have been put in place.
The most significant gaps include untested staff training programmes, untested incident response plans, and incomplete compliance with NCSC security principles. These omissions leave the council potentially vulnerable to future attacks even as it struggles to recover from the previous one.
The report states that "weaknesses in IT infrastructure, governance, preparedness, and staff capacity were identified back in 2021/22 and had they been addressed sooner, the impact of the attack might have been reduced."
This observation underscores a common pattern: known vulnerabilities often go unaddressed due to resource constraints, competing priorities, or insufficient urgency—until an attack forces attention on cybersecurity at catastrophic cost.
The Pre-Attack Vulnerabilities
At the time of the attack, multiple factors contributed to the council's vulnerability. Five of seventeen IT positions were vacant, including a senior systems analyst role. Biennial cybersecurity training for staff had lapsed. The IT Health Check was overdue, and Public Sector Network certification had expired for 2022-23 without renewal.
Most critically, the council lacked an incident response and disaster recovery plan—fundamental components of cybersecurity preparedness that should exist before attacks occur, not be developed afterward.
The audit identified that many systems were hosted locally rather than in cloud environments. Beyond cloud-hosted M365, most systems were affected by the attack. Backups were deemed insufficiently robust to minimise impact from potential attacks.
Despite these weaknesses, the council's overall cyber posture was still considered adequate at the time—a judgment that subsequent events proved tragically optimistic.
The Human Cost
Council staff have worked for two years bringing services back online. By April 2025, all services were operational, though departments face significant backlogs of work caused by the attack.
The ransomware locked staff out of data, with some permanently lost. The council couldn't publish 2024 annual accounts on time. Employees pieced together data from disparate sources to file accounts six months late, acknowledging gaps would remain.
Staff workload increased significantly post-attack as manual processes replaced inaccessible digital systems, stretching individuals to capacity. The audit notes this increased workload will affect operations for months or years to come and has damaged staff morale.
Jo Armstrong, Chair of the Accounts Commission, acknowledged the human toll: "Comhairle nan Eilean Siar staff went above and beyond to mitigate the impacts on service users, suppliers, and the local community. This increased pressure on staff as they took on additional work, alongside dealing with day-to-day responsibilities."
The Financial Impact
Direct costs related to the attack stand at an estimated £950,000. Around £250,000 was claimed from the Scottish government, with the council continuing to pursue insurance payouts to cover larger shares of total costs.
These direct costs primarily relate to consultancy fees, cloud setup costs, and ongoing charges for cloud-based systems. However, the audit notes that Comhairle incurred many more indirect costs, such as those related to missed growth opportunities whilst instructing staff to focus on rebuilding databases.
The true financial impact extends far beyond the £950,000 direct cost figure. Lost productivity, delayed projects, staff overtime, reputational damage, and opportunity costs accumulate into total economic harm several times larger than initial incident response expenses.
The Staffing Challenge
Finding appropriate talent to fill vacant cybersecurity roles presents longstanding challenges for all organisations, but proves especially difficult for cash-strapped local authorities located away from mainland population centres.
This staffing challenge isn't unique to Comhairle nan Eilean Siar. Local councils across the UK struggle to compete with private sector salaries for cybersecurity professionals whilst facing growing threat levels and increasingly sophisticated attacks.
The result creates a dangerous gap: the organisations managing critical public services and sensitive citizen data often possess the least mature cybersecurity capabilities and most resource-constrained IT departments.
What the Council Did Right
Despite the dire circumstances and ongoing recovery challenges, the Accounts Commission commended the authority for appropriate response given its resources. The council escalated the case to the Scottish government and NCSC, and followed its business continuity plan even though it hadn't been properly stress-tested for scenarios this severe.
The authority quickly identified its HR/payroll system as the most critical system rendered inaccessible and worked to restore functionality. Payroll was restored by month's end so staff didn't miss paychecks, with partial functionality achieved by mid-December.
The council engaged appropriate regulators and third parties, including UK cybersecurity firm NCC Group, to assist with remediation efforts and has made progress in its recovery plan.
The Broader Implications
Armstrong's statement highlights the systemic challenge: "This cyberattack shows how exposed local government is, and the urgent need to test resilience and recovery arrangements. Councils need to assume that it's a case of when, not if, they are attacked."
She emphasised that collective approaches are needed: "They must collaborate, learn from each other, and work closely with partners, including the Scottish Government."
The Accounts Commission urges that Comhairle must test updated business continuity and incident response plans against scenarios as severe as the 2023 attack. The audit notes that whilst the council's response was largely effective, continuity plans weren't applied consistently across the organisation and hadn't been adequately tested.
As a matter of priority, the audit recommends that realistic and achievable timelines should be set for all agreed recommendations, supporting elected members to monitor delivery more effectively and focus on mitigating risks.
Lessons for All Organisations
Comhairle nan Eilean Siar's experience provides crucial lessons extending beyond local government:
Known vulnerabilities demand urgent attention. Weaknesses identified years before the attack contributed to its severity. Cybersecurity improvements cannot be perpetually deferred.
Recovery takes years, not months. Two years after the attack, critical systems remain offline. Organisations must plan for extended recovery timelines when assessing cyber risk.
Testing matters. Having business continuity and incident response plans that haven't been tested against realistic scenarios provides false confidence. Plans must be validated before attacks occur.
Staffing gaps create vulnerability. Vacant IT positions, lapsed training, and expired certifications all contributed to the council's exposure. Adequate staffing isn't optional for cybersecurity.
Indirect costs dwarf direct costs. The £950,000 direct cost represents only a fraction of total economic impact. Lost productivity, damaged morale, and missed opportunities multiply financial harm.
Don't Let Ransomware Define Your Next Two Years
At Altiatech, we help organisations implement robust cybersecurity defences, comprehensive incident response planning, and disaster recovery strategies before attacks occur. Our approach focuses on practical security measures appropriate to your resources and risk profile.
From security assessments identifying vulnerabilities to tested backup strategies ensuring rapid recovery, we provide the expertise that prevents ransomware attacks from becoming multi-year recovery operations.
Don't wait for an attack to discover your defences are inadequate and your plans untested.
Get in touch today:
📧 Email:
innovate@altiatech.com
📞 Phone (UK): +44 (0)330 332 5482
Prepare now. Recover faster. Protect what matters.
