Executive Summary
On May 6, 2025, West Lothian Council (WLC) experienced a ransomware attack targeting its Education Network. The criminal incident resulted in the compromise of a small but sensitive portion of data, including personal information, learning materials, and confidential reports from social work and other agencies across 11 high schools and one primary school. The council initiated a swift response, involving a live criminal investigation with Police Scotland and the Scottish Government, immediate risk notification to affected individuals, and comprehensive public guidance on vigilance and data protection measures. The council’s core corporate and public access networks remained unaffected. This case study outlines the nature of the breach, the scope of its impact, and the critical steps taken for mitigation and recovery.
1. Background & Challenge
| Aspect | Detail |
| Organization | West Lothian Council (WLC) |
| System Targeted | Education Network (comprising servers and systems for schools and support staff) |
| Date of Incident | Tuesday, May 6, 2025 |
| Threat Actor | Unknown (Ransomware/Criminal Group) |
The challenge was to contain the breach, determine the scope of data compromise across multiple educational sites, and ensure the ongoing safety and security of staff, students, and their personal data while maintaining essential council services. The nature of the compromised data—including reports from social work and other agencies—added a significant confidentiality and safeguarding urgency to the response.
2. Incident Details & Impact
The incident was identified as a ransomware cyberattack. An investigation determined that, while the attack was contained to the Education Network, a specific portion of data was compromised.
Impact Analysis:
| Category | Description of Impact |
| Data Compromise | A small percentage of total data on the Education Network was compromised. Of this, a very small proportion was of a personal and sensitive nature. |
| Sensitive Data Types | Possible theft of names, addresses, email addresses, learning materials, and critically, reports shared by social work and other agencies. |
| Affected Schools | 11 Secondary Schools (e.g., Armadale Academy, Bathgate Academy, Linlithgow Academy) and Holy Family Primary. Other primary, nursery, and ASN schools were largely unaffected. |
| Operational Status | WLC’s main corporate and public access networks remained secure and operational, indicating successful segmentation and protection of core municipal services. |
3. Response & Mitigation Strategy
WLC implemented a multi-faceted response focused on investigation, risk mitigation, and public communication.
| Phase | Action Taken |
| Criminal Investigation | Launched a live criminal investigation in collaboration with Police Scotland and the Scottish Government. |
| Risk Notification | Council staff directly contacted individuals deemed to be most at risk due to the compromise of sensitive social work/agency reports. |
| Public Guidance | Issued an urgent update advising the public, parents, and carers to be extra vigilant for scams, phishing, or other criminal activity using stolen data. |
| Data Security Advice | Recommended that all users associated with the affected systems immediately change passwords to be strong and unique, referencing guidance from Cyber Scotland. |
| Support Channels | Directed individuals with specific concerns about data theft to a dedicated, confidential email address: educationcybersecurity@westlothian.gov.uk. |
| External Resources | Signposted users to the National Cyber Security Centre (NCSC) and the Cyber and Fraud Hub for comprehensive support and guidance on data breaches. |
4. Lessons Learned & Outcome
The incident demonstrated the council’s ability to maintain network segmentation, successfully isolating the attack to the education system and protecting core municipal services.
Key Takeaways:
- Network Segmentation is Critical: The segregation of the Education Network from the Corporate and Public Access networks prevented a catastrophic, wider-reaching system failure.
- Proactive Risk Communication: The immediate, targeted contact with high-risk individuals (those whose sensitive agency reports were compromised) was crucial for fulfilling ethical and legal safeguarding duties.
- Ongoing Vigilance: The council’s communication emphasized that the investigation is ongoing and advised continuous vigilance from the public, underscoring that the risk does not end with the initial breach announcement.
- Strengthening Posture: The incident serves as a critical reinforcement for implementing enhanced cybersecurity measures across all WLC systems and promoting stronger password hygiene among all users.
The case remains a live criminal investigation, with WLC committed to providing further updates as the legal and technical remediation efforts progress.