Cyber Incident Victim: Glasgow City Council

On Thursday 19 June 2025, Glasgow City Council’s ICT supplier CGI detected malicious activity on servers that are managed by a third‑party provider, prompting the authority to take those servers offline as a precautionary measure. The council confirmed that the discovery occurred early in the morning and that the affected servers were isolated to prevent further spread of the threat. No financial systems operated by the council were reported to have been compromised in the incident, and the authority stated that no bank account or credit/debit card details processed by those systems had been accessed. The council’s spokesperson emphasized that the decision to shut down the servers was made to contain the malicious activity and to protect the integrity of remaining services. The isolation of the servers was described as the direct cause of the subsequent loss of web‑based functionality, rather than the cyber incident itself disrupting the services. The council noted that the incident was identified through monitoring tools employed by CGI and that the activity did not originate from email communications. A joint investigation was immediately launched involving Police Scotland, the Scottish Cyber Coordination Centre (SC3) and the National Cyber Security Centre (NCSC). The council also notified the Information Commissioner’s Office (ICO) on the basis of its presumption that data related to the unavailable web forms may have been exfiltrated.

The cyber incident disrupted a wide range of online services that residents and stakeholders routinely use through the Glasgow City Council website. Users were unable to view or comment on planning applications, to pay penalty charges for parking or bus lane contraventions, or to submit online appeals related to those charges. Reporting school absences through the digital form was unavailable, as was the ability to order certificates from the city registrars for births, deaths or marriages. Household schedules for bin collections, online diaries and calendars, and the Strathclyde Pension Fund’s SPFOnline portal were all inaccessible. Additionally, the council’s online systems for permits, complaints, certificate applications, comments and compliments, Freedom of Information requests, footway crossing applications, election services, planning enforcement, planning statutory enforcement, public processions, future processions, sign language interpreter service access, Glasgow Film Office location library, pupil absence reporting, bin calendar viewing, taxi complaints submission and the council’s internal diary were all taken offline. The authority stated that where feasible, alternative methods of accessing these services were being arranged, such as telephone lines for certain payments and in‑person options for others, but the primary web‑based channels remained unavailable during the containment period. North Lanarkshire Council, which relies on Glasgow City Council to process its parking fines, reported that its own telephone payment line remained operational and anticipated higher call volumes as a result of the disruption.

Regarding data security, the council explained that it could not confirm at that stage whether any data had actually been removed from the compromised servers, but it was operating on the presumption that customer data linked to the currently unavailable web forms may have been exfiltrated. The authority stressed that no financial systems had been affected and that no details of bank accounts or credit/debit cards processed by those systems had been compromised. In line with its precautionary stance, the council contacted the Information Commissioner’s Office to notify them of the potential data breach and to seek guidance on regulatory obligations. The council advised anyone who had used the affected online forms to be particularly cautious about unsolicited contact claiming to be from Glasgow City Council, and it directed individuals who believed they might have been targeted to contact Police Scotland on the non‑emergency number 101 or to report the matter in person at any police station. For those concerned about possible financial fraud, the council pointed to the Cyber and Fraud Hub as a resource, and it referenced the National Cyber Security Centre’s published advice on data breaches for individuals and families. The council reiterated that its own email channels remained safe and that it would never request bank account details, passwords or other secure information via email, a statement supported by the security specialists who reviewed the incident and confirmed that email was not the infection vector.

The incident placed Glasgow City Council within a broader pattern of cyber threats affecting Scottish public bodies in recent months. NHS Dumfries and Galloway had previously reported a breach that disrupted services, and the City of Edinburgh’s education department had experienced an attempted cyber attack the month before, which led to a precautionary reset of all pupil passwords after staff identified a spear‑phishing invitation. These earlier events were cited by the council to illustrate the increasing frequency of attacks on local authority infrastructure and to underscore the importance of vigilance across the sector. The council noted that the attack on its systems was not isolated and that the joint investigation would consider any possible connections or shared tactics with the other incidents. The involvement of multiple national and Scottish agencies reflected the seriousness with which the incident was being treated and the desire to leverage specialised expertise in threat analysis, forensic examination and incident response. The council’s own ICT team, alongside CGI and the third‑party server manager, worked to preserve logs and evidence for the investigators while maintaining communication with the public through official updates on the service impact page.

Throughout the response, the council maintained a steady flow of information to residents, publishing regular updates on which services remained unavailable and which alternative access points had been established. Apologies were issued for the anxiety and inconvenience caused by the disruption and the necessary technical measures taken to contain the threat. The authority emphasized that it would continue to monitor the situation, restore services as soon as it was safe to do so, and keep the public informed of any developments regarding data integrity or further service impacts. The statement concluded with a reminder that the council remained committed to protecting residents’ information and to improving its cyber resilience in light of the incident.