1) How many times did your council experience an attempted cyber-attack in each of the following calendar years: 2022, 2023, 2024?
If you do not have complete data for 2024, please provide the most up to date information you have available.
2) Of these attacks, how many resulted in the criminal being able to obtain data or disable systems, per calendar year: 2022, 2023, 2024?
3) Please advise what is the most common type of attack you have experienced, again per calendar year: 2022, 2023, 2024? (e.g. malware, ransomware, phishing)
4) For each of the calendar years: 2022, 2023, 2024, what has been the financial cost to recover from these cyber-attacks?
If you cannot provide an exact cost, please provide an estimate. Please include costs such as rectification, loss of data, money paid to hackers, legal costs, etc. Do you have an insurance policy to protect against the potential consequences of cyber-attacks?
5) When did you last update your security system to cope with the volume and sophistication of cyber-attacks?
In response to questions 1 to 5, Devon County Council can confirm that we hold the information you have requested. However, we consider this is exempt from disclosure under Section 31(1)(a), the prevention or detection of crime, of the Freedom of Information Act 2000.
This is because the Council considers that this information constitutes valuable intelligence, that could be leveraged by a motivated cyber threat actor to inform a successful attack against our infrastructure. We feel that releasing this information would therefore increase the chances of Devon County Council becoming the victim of a cyber-attack.
We have considered the public interest in releasing this information. While we recognise that there is a public interest in openness and transparency, we feel that there is a stronger public interest in the Council maintaining the security and integrity of its IT systems. We feel that significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations. For these reasons we feel that the balance of public interest weighs in favour of withholding this information from disclosure.