1. The number of data breach* incidents the council has had between 2021/22, 2022/23 and 2023- date (March 2024)
2021/2022 = 8
2022/2023 = 38
2023 – 31/03/2024 = 45
Total = 91
2. Of these, how many were cyber-incidents**?
Devon County Council (DCC) confirms that we hold the information you have requested. However, we consider this is exempt from disclosure under Section 31(1)(a) of the Freedom of Information Act 2000.
This is because the Council considers that this information constitutes valuable intelligence, that could be leveraged by a motivated cyber threat actor to inform a successful attack against our infrastructure. We feel that releasing this information would therefore increase the chances of DCC becoming the victim of a cyber-attack.
We have considered the public interest in releasing this information. While we recognise that there is an overriding public interest in openness and transparency, we feel that there is a stronger public interest in the Council maintaining the security and integrity of its IT systems.
We feel that significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations. For these reasons we feel that the balance of public interest weighs in favour of withholding this information from disclosure.
3. How much has the council paid out in compensation for Data Breach claims between 2021/22, 2022/23 and 2023-date (March 2024)?
2021 £75,000
2022 £2,500
2023 £2,000
2024 £6,500
*Data breach being defined as “’any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.
**Cyber-incident being defined as “’actions taken through the use of an information system or network result in an actual or potentially adverse effect on an information system, network, and/or the information residing therein”