Glasgow City Council has become the second local authority in the UK to have disclosed a security incident in the past few days, after multiple online services were knocked out in a cyber attack that may have involved the theft of customer data.
The cyber attack was first detected a week ago, on Thursday 19 June, after council IT supplier CGI found evidence of “malicious activity” on servers managed via an as-yet-unnamed third-party.
The affected servers were taken offline, but naturally, the act of isolating these systems has left the council unable to operate its usual range of online public services effectively.
Currently, online planning application services, penalty charge notices, appeals and payments, registrar appointment bookings, and online revenue and benefit callback appointment bookings are inaccessible. Glasgow Council employees and ex-employees are also unable to access the council’s pension fund portal, Strathclyde Pension Fund Online.
Additionally, Glasgow Council revealed, online forms and calendars relating to multiple other services are also unavailable, including sign language interpretation services, freedom of information (FoI) requests, bin collection calendars, school absence reporting and complaints.
Glasgow Council confirmed an investigation is underway, with assistance from Police Scotland, the Scottish Cyber Coordination Centre (SC3) and the wider National Cyber Security Centre (NCSC).
“Glasgow City Council apologises for the anxiety and inconvenience this incident and the necessary response to it will undoubtedly cause,” the council said in a statement.
“At this stage, we can’t confirm whether data has actually been removed, and if so, what that data is, [but] as a precaution, we are operating on the presumption that customer data related to the currently unavailable web forms may have been exfiltrated, and we have contacted the Information Commissioner’s Office (ICO) on this basis.
“No council financial systems have been affected in this attack and no details of bank accounts or credit [or] debit cards processed by those systems have been compromised.”
The council is advising employees and residents to be particularly cautious about contact from anybody claiming to represent it until it can confirm whether or not there has been a data leak. It stressed that in instances in which it does need to communicate via email, it will never ask for any bank account details or passwords.
The incident in Glasgow comes hot on the heels of a cyber attack on Oxford City Council, which took place earlier in the month but went undisclosed until 19 June. This incident seems to have been largely contained, but appears to have resulted in the theft of historical personal data related to election workers.
Uncomfortable truth
Though no connection between the two attacks has been discovered or should be inferred, the incidents highlight an uncomfortable truth that local authorities across the UK are incredibly vulnerable, according to Jamf’s senior security strategy manager for EMEA, Adam Boynton.
“Local councils are the beating heart of our communities, and cyber criminals know it. When you combine sensitive personal data, ageing infrastructure and a sprawling network of third-party suppliers, you create the perfect storm for targeted cyber attacks,” he said.
“Public sector security is only as strong as its weakest vendor. In today’s threat landscape, it is no longer enough to secure your own perimeter. Councils must extend their security posture across the entire digital supply chain,” added Boynton.
“That means more than ticking boxes. It means enforcing secure-by-default configurations, mandating multifactor authentication, and ensuring suppliers uphold the same patching and monitoring standards expected internally.
“We need to move from reactive clean-up to proactive, enforced resilience. That starts with treating third-party risk as first-party responsibility and embedding cyber security as a foundational part of public sector procurement and governance.”