The Long Tail of Cyber Incidents – A Comhairle nan Eilean Siar (Western Isles Council) Case Study

In today’s bulletin, Charlie looks at the cyber attack that has affected Comhairle nan Eilean Siar and discusses the impacts of the attack.

This week, I conducted an exercise with a client in the financial sector. At the end of the exercise, we discussed how long it would take the organisation to recover all its systems after the attack we had used in our scenario. On the situation report sheet, which was developed as part of the exercise documents, there was a recovery estimate of 1–7 days for essential services and up to 14 days for all other services. The client said that they practised the recovery often, and there was the possibility of recovering everything in 4 hours.

As I have said many times, I am not a technical IT person, so who am I to say that he was wrong? But my gut felt that this was overly optimistic and that the actual time could be longer. It is extremely important that senior managers are aware of the realistic time it would take to recover all their systems, so they can plan for the continuity of operations and what they can and can’t deliver. If the four hours are realistic, then the senior managers can sleep easy knowing that a cyber attack, in terms of their ability to continue delivering services to customers, would have minimal impact.

After a cyber attack, if an organisation promises very little impact of the incident in its communications and subsequently finds that in reality it will take a lot longer, they have severely dented their credibility right at the beginning of the incident.

This week, I also came across an article on welovestornoway.com, talking about the ongoing impact of the cyber attack on Comhairle nan Eilean Siar (Western Isles Council), which, 15 months later, is still affecting the services the council delivers. As I come from the Isle of Coll in the Hebrides, I have always had an interest in Western Isles events, especially anything involving emergency planning or cyber incidents, so I have always kept an eye on Comhairle nan Eilean Siar’s response to their cyber hack on 7th November 2023.

Seeing that there is still an impact a year and a quarter after the attack, I thought I would do some research on the initial impact and how the cyber incident is still affecting the organisation and its service delivery.

On 7th November 2023, Comhairle nan Eilean Siar suffered a serious cyber attack that impacted most services. The incident had a substantial effect across most council systems, and only cloud-based applications were unaffected. The attack took out their website and telephone system, but Microsoft 365 (Teams, SharePoint, and email) remained operational. The initial impact of the incident affected the following systems:

Financial and Revenue Systems – Loss of financial ledgers, payroll, HR records, council tax collection, and supplier payment systems, requiring manual workarounds. Council tax and non-domestic rates billing were delayed for several months.
Planning and Land Services – Planning portal and land charges systems taken offline, delaying applications and property transactions.
Social Care & Community Services – Care management system inaccessible, preventing accurate financial assessments for care home residents.
IT Infrastructure and Communication – Council telephone system taken offline, file servers encrypted, and some external email communication blocked.
Municipal and Public Services – Energy management and public transport systems remained operational but were affected, requiring manual monitoring.
Education & Children’s Services – School systems were disrupted, losing access to internal documents, but cloud-based services remained functional. The school systems were separate from the council systems, so school estates were not affected.
Public-Facing Services – Council website taken offline, restricting public access to records, policies, and minutes.

Manual workarounds had to be used in many cases, including paying staff the same as they were paid the previous month, and revenues collected could not be allocated against the correct accounts. Most systems were restored so that council functions could continue, but 15 months on, some systems have still not been restored. Many of these rely on historical data, and as system backups were encrypted, the data will be lost forever.

The long-term impacts still affecting the organisation are as follows:

The planning system is still not up and running. The council is still working with an interim solution, and only partial land searches can be offered, with a turnaround time of 90–95 days. They are still unable to process full land searches or accept applications online. This is interesting because Hackney Council also suffered a similar cyber attack, and looking at their website, five years after their attack, their planning system is still not working at full functionality.
Audit Scotland, in their 2022/23 audit of the council, had to caveat its audit as financial records had been lost, meaning not all spending could be verified. In their report, Audit Scotland said: “The procurement and rebuild of affected systems is an ongoing process. The rebuilt financial systems and internal controls will require significant additional audit work in our 2023/24 audit to assess whether we have sufficient assurance over the completeness and accuracy of transactions and balances in the 2023/24 financial statements.”. This experience is similar to that of SEPA (Scottish Environmental Protection Agency), whose accounting records had to be recreated from bank statements and HMRC records, leaving auditors unable to fully examine SEPA’s finances, including £42 million of contract income. I was listening to a podcast about the logistics company Knights of Old going into receivership after a cyber attack. They needed to borrow money to stay afloat, but as they couldn’t produce financial information for lenders, as it had been lost in the cyber attack, lenders refused to provide financial assistance.
Audit Scotland increased their audit fee by 10% (£26,910) due to the increased workload resulting from the cyber attack.
One of the reports lost was the financial assessment of individuals requiring residential care, which examines whether they have the financial means to pay for care themselves. Of the 192 service users who reside in Comhairle and independent private care homes, 132 financial assessments have had to be redone for 2024/25.
A second report that was lost examined spending on community planning and engagement.
In local authorities, transparency is extremely important. Key meetings where decisions are made must have publicly available minutes. The council website included the following statement: “Due to the cyber-attack experienced by the Comhairle on 7th November 2023, the minutes are currently unavailable. The webpage will be updated once content has been recovered or replaced with more up-to-date documents.”. This applied to meetings about the Local Development Plan, Customer Service Strategy, Gaelic Language Plan, Winter Maintenance Policy and Operational Plan, and the Local Heat and Energy Efficiency Strategy.
After the attack, a report was prepared for the Comhairle’s Audit and Scrutiny Committee. The report, issued on 23rd October 2024, included ten recommendations from the Cyber Attack Response report to strengthen data security and the council’s response to cyber incidents. Progress on these recommendations was audited on 14th January 2025, and it was found that only one of the ten recommendations had been implemented.
The Chief Executive, Malcolm Burr, said that “many transformation projects are being hampered, and some of the work had been lost in the cyber attack.”.
All Scottish local authorities are under financial pressure, and this incident has already cost over £1m, putting further strain on the council’s finances.

It seems to me, as an outsider, that most of the council’s systems are up and running, but some areas are still impacted, and information has been lost permanently due to encryption. Some of it can be reconstructed from other documents, such as financial records, but like Hackney Council, key planning information may be lost for good. The long-term impact of this incident highlights the importance of immutable backups and the need to plan and practise recovery. Although the IT manager mentioned at the beginning of this bulletin claimed that the IT recovery could be completed in 4 hours, this incident shows that, in reality, it could take much longer.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Recent Posts

The Long Tail of Cyber Incidents – A Comhairle nan Eilean Siar (Western Isles Council) Case Study

Is the UK National Risk Register 2025 Any Use to Business Continuity Practitioners?

Backups: What Do You Need to Think About?

What Is A Polycrisis and What Is The Impact On Business Continuity Practitioners?

Is your business fully resilient?

BCMS 556354

FS 670199