You asked:
Under the Freedom of Information Act 2000 I seek the following information:
- For 2012, 2013, 2014, 2015, 2016 and 2017 (to date):
a. The number of cyber attacks that you have been a target of, with the date of each attack
b. For each attack, please state whether data was compromised and if so what was compromised
c. For each attack, please state how many devices were affected
d. For each attack, if known, the technique used i.e. DDoS (Direct Denial of Service), Adware, Phishing, Tampering, Spoofing, Bluejacking, Password attacks
e. For each attack, whether it was reported to the police
f. For each attack, whether it was reported to the Information Commissioner’s Office
We said:
We consider that knowledge of attempts - successful or non-successful cyber-attacks would reveal the level of IT protection employed and therefore aid anyone wishing to launch a viral attack on departmental IT systems. As such we believe the information requested is exempted under s31(1)(a) - the prevention or detection of crime. To use this exemption we are required to consider the public interest test, and whilst we note there are public interest arguments in favour of transparency and disclosure we have decided that these are outweighed by other public interest factors that are in favour of non-disclosure. Principally we consider that release of the information requested would prejudice our ability to maintain and run a secure and safe IT network. This is an essential function for all government departments and is particularly important for ONS which processes personal and economic information on its systems.