Ransomware, malware and data loss

FOI request reference: CAS-70295-T0K6B4
Publication date: October 2021

Request

  1. In the past three years has your organisation:
    1. Had any ransomware incidents? (An incident where an attacker attempted to, or successfully, encrypted a computing device within your organisation with the aim of extorting a payment or action in order to decrypt the device? )
      1. If yes, how many?
    2. Had any data rendered permanently inaccessible by a ransomware incident (i.e. some data was not able to be restored from back up.)
    3. Had any data rendered permanently inaccessible by a systems or equipment failure (i.e. some data was not able to be restored from back up.)
    4. Paid a ransom due to a ransomware incident / to obtain a decryption key or tool?
      1. If yes was the decryption successful, with all files recovered?
    5. Used a free decryption key or tool (e.g. from https://www.nomoreransom.org/)?
      1. If yes was the decryption successful, with all files recovered?
    6. Had a formal policy on ransomware payment?
      1. If yes please provide, or link, to all versions relevant to the 3 year period.
    7. Held meetings where policy on paying ransomware was discussed?
    8. Paid consultancy fees for malware, ransomware, or system intrusion investigation
      1. If yes at what cost in each year?
    9. Used existing support contracts for malware, ransomware, or system intrusion investigation?
    10. Requested central government support for malware, ransomware, or system intrusion investigation?
    11. Paid for data recovery services?
      1. If yes at what cost in each year?
    12. Used existing contracts for data recovery services?
    13. Replaced IT infrastructure such as servers that have been compromised by malware?
      1. If yes at what cost in each year?
    14. Replaced IT endpoints such as PCs, Laptops, Mobile devices that have been compromised by malware?
      1. If yes at what cost in each year?
    15. Lost data due to portable electronic devices being mislaid, lost or destroyed?
      1. If yes how many incidents in each year?
  1. Does your organisation use a cloud based office suite system such as Google Workspace (Formerly G Suite) or Microsoft’s Office 365?
    1. If yes is this system’s data independently backed up, separately from that platform’s own tools?
  1. Is an offsite data back-up a system in place for the following? (Offsite backup is the replication of the data to a server which is separated geographically from the system’s normal operating location site.)
    1. Mobile devices such as phones and tablet computers
    2. Desktop and laptop computers
    3. Virtual desktops
    4. Servers on premise
    5. Co-located or hosted servers
    6. Cloud hosted servers
    7. Virtual machines
    8. Data in SaaS applications
    9. ERP / finance system
    10. We do not use any offsite back-up systems
  1. Are the services in question 3 backed up by a single system or are multiple systems used?
  1. Do you have a cloud migration strategy? If so is there specific budget allocated to this?
  1. How many Software as a Services (SaaS) applications are in place within your organisation?
    1. How many have been adopted since January 2020?

Outcome

Some information provided.

Our response

Questions 1 to 24:

The National Archives can neither confirm nor deny that it holds information in respect to these questions by virtue of Section 31 (3) Law Enforcement of the FOI Act (please see the end of document for an explanation of the neither confirm nor deny exemptions applied).

25. Does your organisation use a cloud based office suite system such as Google Workspace (Formerly G Suite) or Microsoft’s Office 365?
Yes.

26. If yes is this system’s data independently backed up, separately from that platform’s own tools?
Yes.

27. Is an offsite data back-up a system in place for the following? (Offsite backup is the replication of the data to a server which is separated geographically from the system’s normal operating location site.)
a. Mobile devices such as phones and tablet computers
b. Desktop and laptop computers
c. Virtual desktops
d. Servers on premise
e. Co-located or hosted servers
f. Cloud hosted servers
g. Virtual machines
h. Data in SaaS applications
i. ERP / finance system
j. We do not use any offsite back-up systems

Disclosing information specific to systems may reveal information that would prejudice the prevention or detection of crime and is exempt under section 31 (1) (a) of the FOI Act.

28. Are the services in question 3 backed up by a single system or are multiple systems used?
Multiple systems.

29. Do you have a cloud migration strategy? If so is there specific budget allocated to this?
We do not have a specific cloud migration strategy, however, there is reference to cloud policy in our IT and Digital Services Strategies.

Information regarding our IT Strategy is contained in a previous FOI response and published on our website. Please use the following link to access our previous response:
ICT Documents – Freedom of Information (nationalarchives.gov.uk)

Information regarding our Digital Services Strategy is published on our website. Please see the below link for this:
Our digital strategy – Archives Inspire the world (nationalarchives.gov.uk)

30. How many Software as a Services (SaaS) applications are in place within your organisation?

From our preliminary assessment, it is clear that we will not be able to answer your request because to do so would exceed the cost limit provision under section 12 of the Act. This exempts information if the cost of compliance exceeds the appropriate limit. Please see appendix for further details.

31. How many have been adopted since January 2020?
Please see above.

EXPLANATORY ANNEX

Exemptions applied.

Section 31: Law Enforcement 
Section 1 (1) (a) of the Freedom of Information Act requires a public authority to inform a requester whether it holds information specified in the request. This is known as the ‘duty to confirm or deny’. In most cases, a public authority will be able to comply with its duty to confirm or deny under section 1 (1) (a) – in other words, it will be able to respond to a request by at least informing the requester whether or not it holds the information. In most cases where information is held, a public authority will go on to consider whether information should be provided under section 1 (1) (b) or whether it is subject to an exemption in Part II of the Act. However, there may be occasions when complying with the duty to confirm or deny under section 1 (1) (a) would in itself disclose sensitive or potentially damaging information that falls under an exemption. In these circumstances, the Act allows a public authority to respond by refusing to confirm or deny whether it holds the requested information. This is called a ‘neither confirm nor deny’ response.

The National Archives can neither confirm nor deny, that it holds the information, as the duty in section 1 (1) (a) of the Freedom of Information Act 2000 does not apply by virtue of section 31 (3) Law Enforcement.

We are unable to provide you with information specific to IT systems because this information is exempt from disclosure under section 31 (1) (a) of the FOI Act. Section 31 (1) (a) exempts information if its disclosure is likely to prejudice the prevention or detection of crime.

Section 31 is a qualified exemption and we are required to conduct a public interest test when applying any qualified exemption. This means that after it has been decided that the exemption is engaged, the public interest in releasing the information must be considered. If the public interest in disclosing the information outweighs the public interest in withholding it then the exemption does not apply and the information must be released. In the FOI Act there is a presumption that information should be released unless there are compelling reasons to withhold it.

The public interest has now been concluded and the balance of the public interest has been found to fall in favour of confirming an ncnd for information covered by the section 31(3) exemption and of withholding information covered by the section 31 (1) (a) exemption. Considerations in favour of the release of the information included the principle that there is a public interest in transparency and accountability in disclosing information about government procedure and contracts. However, release of this information would make The National Archives more vulnerable to crime. The crime in question here would be a malicious attack on The National Archives’ computer systems. As such release of this information would be seen to prejudice the prevention or detection of crime by making The National Archives’ computer system more vulnerable to hacking. There is an overwhelming public interest in keeping government computer systems secure which would be served by non-disclosure. This would outweigh any benefits of release. It has therefore been decided that the balance of the public interest lies clearly in favour of withholding the material on this occasion.

Further guidance on section 31 can be found here:
https://ico.org.uk/media/for-organisations/documents/1207/law-enforcement-foi-section-31.pdf

Section 12 – Exemption where cost of compliance exceeds appropriate limit
Section 12 of the Freedom of Information Act 2000 (FOIA) makes provision for public authorities to refuse requests for information where the cost of dealing with them would exceed the appropriate limit, which for central government departments like The National Archives, is set at £600. This represents the estimated cost of one person spending just over three working days determining whether the department holds the information, as well as locating, retrieving and extracting the information.

We estimate that it will take us in excess of this to identify the appropriate information, and locate, retrieve and extract it in response to your request because it is so wide ranging. Therefore, this part of your request will not be processed further.

You may wish to refine your request by narrowing its scope and being more specific about what information you particularly wish to obtain, including any dates or period of time relevant to the information required. For example, you may want to consider the following:

• Reducing the scope of the request to identify one area or department or being more specific about the type of SaaS solution.

You may find guidance produced by the ICO useful for this process: ‘How should I word my request to get the best result? ’ This provides some tips for making effective FOI requests, so that you can find the core information which is important to you.

To be clear, you are not obliged to inform us of the purpose of your request, but the more descriptive information you provide, the more we can help you identify if we hold the information you are looking for within the cost limit.

We are unable to guarantee that any refined requests would fall within the cost limit.