Ransomware attacks

FOI request reference: CAS-70721-Z7P3Y9
Publication date: October 2021

Request

Over the last five years,

  • How many times has your organisation suffered a ransomware attack?
  • Please detail the number of successful and unsuccessful attacks.
  • In the case of successful attacks, how much downtime did each cause?
  • Did you pay the ransom?
  • How much did the ransom cost?

Outcome

Information witheld.

Response

The National Archives can neither confirm nor deny that it holds information in respect to these questions by virtue of Section 31(3) Law Enforcement of the FOI Act.

EXPLANATORY ANNEX

Exemptions applied.

Section 31: Law Enforcement 

Section 1 (1) (a) of the Freedom of Information Act requires a public authority to inform a requester whether it holds information specified in the request. This is known as the ‘duty to confirm or deny’. In most cases, a public authority will be able to comply with its duty to confirm or deny under section 1 (1) (a) – in other words, it will be able to respond to a request by at least informing the requester whether or not it holds the information. In most cases where information is held, a public authority will go on to consider whether information should be provided under section 1 (1) (b) or whether it is subject to an exemption in Part II of the Act. However, there may be occasions when complying with the duty to confirm or deny under section 1 (1) (a) would in itself disclose sensitive or potentially damaging information that falls under an exemption. In these circumstances, the Act allows a public authority to respond by refusing to confirm or deny whether it holds the requested information. This is called a ‘neither confirm nor deny’ response.

The National Archives can neither confirm nor deny, that it holds the information, as the duty in section 1 (1) (a) of the Freedom of Information Act 2000 does not apply by virtue of section 31 (3) Law Enforcement.

Section 31 is a qualified exemption and we are required to conduct a public interest test when applying any qualified exemption. This means that after it has been decided that the exemption is engaged, the public interest in releasing the information must be considered. If the public interest in disclosing the information outweighs the public interest in withholding it then the exemption does not apply and the information must be released. In the FOI Act there is a presumption that information should be released unless there are compelling reasons to withhold it.

The public interest has now been concluded and the balance of the public interest has been found to fall in favour of confirming an NCND for information covered by the section 31(3) exemption. Considerations in favour of the release of the information included the principle that there is a public interest in transparency and accountability in disclosing information about government procedure and contracts. However, release of this information would make The National Archives more vulnerable to crime. The crime in question here would be a malicious attack on The National Archives’ computer systems. As such release of this information would be seen to prejudice the prevention or detection of crime by making The National Archives’ computer system more vulnerable to hacking. There is an overwhelming public interest in keeping government computer systems secure which would be served by non-disclosure. This would outweigh any benefits of release. It has therefore been decided that the balance of the public interest lies clearly in favour of withholding the material on this occasion.

Further guidance on section 31 can be found here:
https://ico.org.uk/media/for-organisations/documents/1207/law-enforcement-foi-section-31.pdf.