Auditors remain concerned about the cyber resilience of a Scottish council as some systems are yet to be fully rebuilt following a ransomware attack in November 2023.
The ransomware attack on Comhairle nan Eilean Siar, in Scotland's Western Isles, required "several" of its systems to be reconstructed, among other damage – especially to the authority's finance department.
Systems for housing benefits, council tax, and non-domestic rates remain unrestored, with their large data volumes slowing the digital renovation, the audit noted.
A report [PDF] on the attack, published by Scotland's Accounts Commission today, commended the Comhairle's swift response to the attack, but highlights various gaps that remain in its cybersecurity defenses.
In addition to systems destroyed by the attack that still have not been rebuilt two years later, some of the key recommended cybersecurity improvements made at the time have also yet to be implemented.
As of September 2025, the audit notes that only five of the ten recommendations were put in place. The most significant areas yet to be addressed include testing staff training programs, testing the incident response plan, and meeting full compliance with the NCSC's security principles.
The audit report states: "Weaknesses in IT infrastructure, governance, preparedness, and staff capacity were identified back in 2021/22 and had they been addressed sooner, the impact of the attack might have been reduced.
"As a matter of priority, realistic
Source: https://www.theregister.com/2025/11/27/western_isles_ransomware_council/
TPRM report: https://www.rankiteo.com/company/comhairle-nan-eilean-siar
"id": "com1764252014.056607",
"linkid": "comhairle-nan-eilean-siar",
"type": "Ransomware",
"date": "2023-11-01T00:00:00.000Z",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': None,
'industry': 'public administration',
'location': 'Western Isles, Scotland, UK',
'name': 'Comhairle nan Eilean Siar '
'(Western Isles Council)',
'size': None,
'type': 'local government'}],
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'date_detected': '2023-11',
'description': 'A ransomware attack in November 2023 targeted '
'Comhairle nan Eilean Siar (Western Isles '
'Council, Scotland), severely disrupting its IT '
'systems, particularly in the finance department. '
'Key systems for housing benefits, council tax, '
'and non-domestic rates were destroyed and remain '
'unrecovered as of September 2025 due to the '
'large data volumes involved. The attack exposed '
'weaknesses in IT infrastructure, governance, '
'preparedness, and staff capacity, which had been '
'flagged in audits as early as 2021/22. While the '
'council responded swiftly, only 5 of 10 '
'recommended cybersecurity improvements '
'(including staff training, incident response '
'testing, and NCSC compliance) have been '
'implemented as of 2025.',
'impact': {'brand_reputation_impact': 'Negative (highlighted by '
'audit reports and '
'unresolved system '
'outages)',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': '2023-11 to at least 2025-09 (ongoing for '
'some systems)',
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': 'Severe disruption to financial '
'operations, including delayed '
'recovery of critical systems '
'(e.g., housing benefits, '
'council tax).',
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['finance department systems',
'housing benefits systems',
'council tax systems',
'non-domestic rates systems']},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': ['finance '
'department '
'systems'],
'reconnaissance_period': None},
'investigation_status': 'Ongoing (as of 2025-09, with unresolved '
'system recoveries and unaddressed '
'recommendations)',
'lessons_learned': 'Proactive addressing of audit-identified '
'weaknesses (e.g., IT infrastructure, '
'governance, staff capacity) could have '
"mitigated the attack's impact. Delayed "
'implementation of cybersecurity '
'recommendations (e.g., NCSC principles, '
'incident response testing) prolonged '
'recovery and left systems vulnerable.',
'post_incident_analysis': {'corrective_actions': ['Partial '
'system '
'reconstruction '
'(ongoing).',
'50% '
'completion of '
'audit '
'recommendations '
'(as of '
'2025-09).'],
'root_causes': ['Unaddressed '
'weaknesses in IT '
'infrastructure, '
'governance, and '
'staff capacity '
'(identified in '
'2021/22).',
'Delayed '
'implementation of '
'cybersecurity '
'improvements (e.g., '
'NCSC principles, '
'incident response '
'testing).',
'Inadequate system '
'backups or recovery '
'plans for large data '
'volumes.']},
'ransomware': {'data_encryption': True,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': ['Fully implement all 10 cybersecurity '
'recommendations from the 2023 audit, '
'prioritizing staff training, incident '
'response testing, and NCSC compliance.',
'Accelerate system reconstruction, '
'especially for critical financial services '
'(e.g., housing benefits, council tax).',
'Strengthen IT governance and preparedness '
'to prevent future incidents.',
'Address long-standing vulnerabilities '
'flagged in 2021/22 audits.'],
'references': [{'date_accessed': '2025-09',
'source': "Scotland's Accounts Commission Audit "
'Report',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': True,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': 'Rebuilding destroyed systems '
'(e.g., finance, housing '
'benefits, council tax), '
'hindered by large data '
'volumes.',
'remediation_measures': 'Partial system '
'reconstruction (ongoing as '
'of 2025-09); only 50% of '
'recommended improvements '
'implemented (e.g., staff '
'training, incident '
'response testing, NCSC '
'compliance).',
'third_party_assistance': None},
'title': 'Ransomware Attack on Comhairle nan Eilean Siar '
'(Western Isles Council)',
'type': 'ransomware'}