1. The number of ransomware attacks made against your council/mayoralty in the years 2020, 2021, 2022, 2023, 2024 and 2025. Please break this data down by year.
2. The ‘ransom payments’ made by the council amid these attacks in each of the above years. Please give me the value of each individual ransomware payment made in the above years, broken down by year.
3. If it’d be possible to provide a brief description of all of the attacks made in 2024, please do so. (e.g., their country of origin, what data (or other information, system, etc.) was held ransom, what ransom payment was being requested, whether it was paid).
In response to questions 1 to 3 – this information is exempt from disclosure under Section 31(1) of the Freedom of Information Act 2000 (Prevention or Detection of Crime).
Devon County Council can confirm the requested information is held; however, this information constitutes valuable intelligence that could be leveraged by a motivated cyber threat actor to inform a successful attack against Council infrastructure. Releasing this information would therefore increase the chances of the Council becoming the victim of a cyber-attack.
The Council has considered the public interest in releasing this information and recognises there is a public interest in openness and transparency. However, there is a stronger public interest in the Council maintaining the security and integrity of its IT systems. Significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations. Therefore, the balance of public interest weighs in favour of withholding this information from disclosure.