Cyber Attacks since 2017 - Find a freedom of information request

1. Could you please tell me how many incidents of cyber-attacks you have recorded since the beginning of 2017?
2. Of these can you tell me how many incidents were referred to external sources including the police, the National Crime Agency and the National Cyber Security Centre?
3. And how many of these incidents were handled internally?

We consider that the information you have requested would be likely to enable individuals to deduce how successful the council is in detecting, preventing, and managing cyber-attacks and cyber incidents. 

Disclosure of this information into the public domain could therefore prejudice the council’s ability to protect the information that it holds and the information systems that it relies upon to carry out core functions.

For this reason, we are applying exemptions from our obligation to provide access to this information under section 31(1)(a) of the Freedom of Information Act 2000. Information is exempt if its disclosure would, or would be likely to prejudice, the prevention or detection of crime.

We have considered whether the public interest favours applying the exemption or disclosing the information.

Factors Favouring Disclosure

We acknowledge that there is a public interest in this information as it could increase public confidence and trust in how successful the council is in protecting information and information systems from cyber-attacks and cyber-incidents.  It would also assist furthering the understanding of the frequency of such attacks. 

Factors against Disclosure

Any individual or group intent on unlawfully attempting to carry out a cyber-attack would be assisted in doing so by gaining an understanding about how successful the council is in identifying, preventing, and managing cyber-attacks and cyber-incidents. 

Enabling individuals to deduce how successful the council is in identifying, preventing, and managing these attacks increases risk to the council as it can provide information useful in the first stage of a cyber-attack.  It is well understood that investigating and analysing available information about a target helps to identify potential victims.

This would prejudice the prevention of crimes committed under the Computer Misuse Act 1990 and, for systems processing personal data, crimes committed under data protection legislation.

We are satisfied therefore in this case that the public interest in ensuring the security of council systems relied upon to provide services to its customers outweighs the public interest.

You are entitled to request an internal review of this decision.