Scotland’s biggest local authority has been hit hard by a cyber attack that’s left digital services in tatters and sparked serious fears about the security of citizen data. Glasgow City Council confirmed the breach late Thursday, triggering a multi-agency probe and pushing critical online systems offline for tens of thousands of users.
The council’s public-facing services ground to a halt, residents were redirected to jammed phone lines, and the full scale of potential data theft remains unclear.
Major services grind to a halt, phones overwhelmed
It wasn’t just a blip. The cyber hit on Glasgow City Council appears both targeted and highly disruptive. A wide range of digital services were taken down — from school absence reporting to online penalty charge payments and planning applications. Even basic registrar services were affected.
The council moved fast to pull multiple servers offline as a precaution. But the ripple effects went further than expected. North Lanarkshire Council, which relies on Glasgow to process parking fine payments, also found itself suddenly affected.
One sentence here to show how chaotic it’s gotten.
Residents trying to reach basic services were left queuing on phone lines for hours.
A council spokesperson said financial systems remain unaffected — but that’s little consolation to families who couldn’t register births or report school absences ahead of the summer break.
Not just glitches: data theft now feared
The most worrying part? Officials now admit that citizen data may have been exfiltrated.
Information tied to suspended web forms is believed to be at risk, though the full extent of what was accessed — names, addresses, contact details? — hasn’t been made public.
The council’s advisory to residents was blunt:
Be wary of anyone contacting you out of the blue claiming to be from Glasgow City Council.
It’s a grim déjà vu for Scots after a similar incident in Edinburgh weeks ago. In that case, a targeted spear-phishing campaign disrupted student platforms and forced a mass password reset. The timing was brutal — just before exams.
Here’s what’s confirmed (or not) so far:
-
✅ Email systems not compromised
-
❓ Volume and type of stolen data unknown
-
❗ Council assuming worst-case scenario: data compromise
-
📞 Services rerouted to overwhelmed phone systems
-
🔍 Cybersecurity response underway, led by national agencies
Why this matters: a rising tide of public sector breaches
Glasgow is the latest — but not the first — public body in the UK to be hit in 2025. In fact, this looks like part of a disturbing trend.
Local councils, NHS trusts, and universities have all been hit this year, sometimes repeatedly. These institutions often rely on aging infrastructure, limited cybersecurity budgets, and sprawling legacy systems that are tough to patch and defend.
One small sentence to break it up.
The result? A soft target for attackers with big payoffs in mind.
The Scottish Government and UK’s National Cyber Security Centre (NCSC) are now involved in Glasgow’s case. But critics argue that more proactive investment in cyber defense is long overdue.
People are angry — and vulnerable
Residents are frustrated. They want answers — and protection.
One caller told BBC Radio Scotland they had waited over 90 minutes just to ask if their child’s school registration had gone through.
Others shared concerns about whether scammers could now target elderly residents or vulnerable families using stolen contact info.
In the absence of clear updates, here’s what experts say people should do:
-
Watch for phishing emails or suspicious calls
-
Don’t click links in texts or emails claiming to be from the council
-
Monitor financial statements and personal accounts
-
Report anything odd to Police Scotland or Action Fraud UK
Cybersecurity consultant Fiona Grieve said the attack highlights “just how thinly stretched local authority cyber defences are.” She added: “Until there’s real investment, we’ll keep seeing these stories.”
The bigger picture: more to come?
Some insiders believe the Glasgow incident is just the tip of the iceberg.
Cybercrime groups often hit multiple targets in one sweep. The question being quietly asked in IT rooms across the UK: who’s next?
The council hasn’t confirmed if it was ransomware — or whether a ransom has been demanded. But the way systems were pulled offline and the tone of official briefings suggests this wasn’t just a teenage hacker poking around.
Scottish Government officials, speaking anonymously, said they’re bracing for “a long road to full restoration.” Internal digital systems — used by social workers, housing teams, and child protection services — could take weeks to come back fully online.
Meanwhile, the public waits, watches, and worries.
