On 19 June 2025, Glasgow City Council experienced a significant supply‑chain cyber‑attack, traced back to malicious activity on servers managed by a third-party ICT supplier, CGI. As a result, key services including planning applications, parking payments, pension portals, bin calendars, and registrar booking systems went offline, prompting authorities to presume potential data exfiltration as investigations commenced (BBC News, 2025; Computing, 2025).
Attack Timeline & Impact
- Incident discovery
- Detected on 19 June by CGI on a third-party server, prompting immediate isolation (Computing, 2025; The Register, 2025).
- Detected on 19 June by CGI on a third-party server, prompting immediate isolation (Computing, 2025; The Register, 2025).
- Services disrupted
- One week later, essential online functions remained inaccessible: planning, parking charges, registrar bookings, Freedom of Information requests, school absence reporting, Strathclyde Pension Fund access, and bin collection schedules (Computing, 2025; BBC News, 2025; The Register, 2025).
- One week later, essential online functions remained inaccessible: planning, parking charges, registrar bookings, Freedom of Information requests, school absence reporting, Strathclyde Pension Fund access, and bin collection schedules (Computing, 2025; BBC News, 2025; The Register, 2025).
- Extended impact
North Lanarkshire Council was also affected due to its reliance on Glasgow’s parking infrastructure (Computing, 2025).
Data Compromise Concerns
Glasgow City Council has notified the Information Commissioner’s Office (ICO) and stated they are operating on the presumption that some customer data submitted via web forms may have been compromised, although financial systems were reportedly unaffected (BBC News, 2025; The Register, 2025). As of now, there’s no confirmation of actual data theft (Scottish Sun, 2025).
Fraud Warning: Fake Parking Fines
Shortly after the attack, residents reported receiving phishing texts and emails claiming unpaid parking fines, urging them to pay online. Glasgow City Council clarified it does not request payments through messages or calls and always uses numbers printed on physical Penalty Charge Notices (Scottish Sun, 2025; Independent, 2025). The council urged vigilance and advised reporting suspicious messages to Police Scotland or the Cyber Incident Response Helpline (Scottish Sun, 2025; The Independent, 2025).
This incident highlights just how exposed organizations can be when they rely on external vendors for critical services. When one link in the chain is compromised, the ripple effect can be widespread, affecting not just systems but public trust. It’s a clear reminder that third-party access needs to be tightly controlled, monitored constantly, and supported by strong security fundamentals like access restrictions and layered authentication. Supply chain attacks are operational risks that demand attention at every level.
The cyber-attack on Glasgow City Council is a strong reminder that peripheral systems can expose critical services to major disruption. Although financial systems appear secure, the presumed compromise of web-form data and the resultant phishing scams demonstrate the far-reaching consequences of supply-chain vulnerabilities.
To bolster resilience, public sector organizations must reinforce third-party cybersecurity measures in alignment with NCSC (National Cyber Security Centre) guidelines, continuously audit their vendor ecosystems, and run real-world incident response simulations.