Cyber Incident Victim: City of Edinburgh Council
Date:
May 2025
Location:
United Kingdom
Summary
The City of Edinburgh Council detected unusual email activity on its schools and early years IT network and identified a spear‑phishing attempt that prompted an immediate precautionary password reset for all users across the education service. Staff shut down affected networks, informed parents and schools, and arranged for pupils preparing for exams to collect new passwords on site while revision materials were made available on the council website. Officials confirmed that no data was compromised, notified the Scottish Qualifications Authority and the Scottish Government cyber‑coordination centre, and stated that investigations would continue to restore normal operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the afternoon of 9 May 2025, City of Edinburgh Council staff observed unusual email activity on the schools and early years IT network and identified it as a spear‑phishing attempt that impersonated a trusted source. As a precaution, the council immediately reset passwords for all users across the education service, including learners, students and staff. Communications were issued to parents, carers and schools to explain the phishing attempt and the password‑reset action. Staff were instructed to reset their own passwords when they returned to school, while a dedicated webpage was created on the council site to provide ongoing updates. The council also notified the Scottish Qualifications Authority, the Educational Institute of Scotland and the Scottish Government’s cyber co‑ordination centre about the incident.
Because the password reset blocked access to revision resources, pupils preparing for upcoming exams were given priority support to regain access. On Saturday 10 May, between 10:15 am and 12:00 pm, students could go to their schools where a member of staff issued them a new password; parents were not permitted to collect passwords on behalf of their children. All revision materials were uploaded to the council website and an online help page was set up to assist pupils. Pupils interviewed at James Gillespie's High School described the loss of access to Teams and other revision tools as a nightmare and an annoyance, noting that some had to travel farther to school and therefore had less time to study. The council stated that it expected normal service to resume by Monday.
The incident followed a suspected criminal ransomware attack on West Lothian Council’s education network earlier in the week, which had forced that authority to use contingency measures to keep schools open. Council officials emphasized that their officers are well trained in recognising phishing attacks and that some networks were immediately shut down to contain the threat. They confirmed that no personal or sensitive data had been accessed and that investigations into the phishing attempt would continue. The council’s education, children and families convener, Councillor James Dalgleish, described the decision to reset passwords as difficult but necessary to protect the integrity of the educational infrastructure. He thanked staff for their vigilance and thanked parents, pupils and teachers for their patience during the disruption.