Cyber Attacks

Posted on

“I am writing under the Freedom of Information Act 2000 to request information about cyber-attacks, cyber security incidents and ransomware attacks affecting your authority.

I am asking the information for each of the years 2014-15, 2015-16, 2016-17, 2017-18, 2018-19 and 2019-20 to date (I will take the date of your reply unless you specify the date).

I am using the following definitions in accordance to guidelines given by the National Cyber Security Centre (NCSC). https://www.ncsc.gov.uk/information/ncsc-glossary

Cyber-attack: a malicious attempt to damage, disrupt or gain unauthorised access to computer systems, networks or devices, via cyber means

Cyber security incident: a breach of a system’s security policy in order to affect its integrity or availability or the unauthorised access or attempted access to a system

Ransomware: Malicious software that makes data or systems unusable until the victim makes payment

  1. Please provide details of how many cyber-attacks to computer systems, networks or devices have taken place in each of 2014-15, 2015-16, 2016-17, 2017-18, 2018-19 and 2019-20 to date.
  1. Please provide details of how many cyber security incidents caused internal systems or devices to be infected or for services to be affected in each of 2014-15, 2015-16, 2016-17, 2017-18, 2018-19 and 2019-20 to date.
  1. Please provide details of how many ransomware attacks have been made to your computer systems, networks or devices in each of 2014-15, 2015-16, 2016-17, 2017-18, 2018-19 and 2019-20 to date.
  1. How many cyber-attacks have caused the loss/breach of data in each of 2014-15, 2015-16, 2016-17, 2017-18, 2018-19 and 2019-20 to date? 
  1. How many cyber security incidents have caused the loss/breach of data in each of 2014-15, 2015-16, 2016-17, 2017-18, 2018-19 and 2019-20 to date? 
  1. How many ransomware attacks have caused the loss/breach of data in each of 2014-15, 2015-16, 2016-17, 2017-18, 2018-19 and 2019-20 to date? 
  1. On how many occasions has the authority paid money those involved in a ransomware attack – whether that is described as a ransom, fine, payment to unlock, purchase of unlocking product, fixing fee or any other payment to necessitate returning your systems to normal in each of 2014-15, 2015-16, 2016-17, 2017-18, 2018-19 and 2019-20 to date?
  1. For any occasions referred to in question 7 please provide the date and the amount paid, including currency and method of payment, such as electronic transfer, Paypal, Bitcoin or any other means of paying the fee.

Please confirm whether ransomware attacks in your answer to question 3 have also been included in the totals for cyber-attacks and cyber security incidents in questions 1 and 2.”

Response:

Devon County Council (DCC) receives cyber-attacks every day via e-mail and Internet services, but these are detected automatically and defeated before they start.

We believe that information relating to any successful cyber-attacks which the Council may or may not have experienced is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000 – ‘Law Enforcement’.  This is because disclosure places the organisation at risk of fraud and crime.  Such systems hold information about individuals and, therefore, the possible chain of events resulting from releasing this information could put individuals, and authorities, at risk of criminal activity.

Confirming or denying whether information is held on cyber-attacks and what remedial measures may or may not have been taken could aid malicious parties by encouraging further attacks. Attacks on IT systems are criminal offences, so to provide information or confirmation of information being held might prejudice the prevention of crime by facilitating the possibility of an offence being carried out. There is a very strong public interest in the effectiveness of law enforcement and the prevention of crime.

Although DCC appreciates that there is a general public interest in openness (because this increases public trust and engagement), this public interest should be weighed against a very strong public interest in safeguarding the security of Council specific systems.  Indeed, it can be held as not in the interests of an individual council to provide information about the number of attacks that may or may not have been made against its IT systems as this could enable individuals to deduce how successful the council is in detecting these attacks and incurring this risk can be deemed not in the public interest.

Section 31 of the Freedom of Information Act 2000 states that there is a very strong public interest in protecting the law enforcement capabilities of public authorities.