Request for information - FOI17776
Thank you for your email of 13 June 2017, in which you narrowed the scope of your original request (FOI17764), and your additional email of 14 June 2017, clarifying your request.
Original FOI request of 9 May 2017 (FOI17764):
I would like to make a request under the Freedom of Information Act 2000 relating to cyber attacks on your organisation.
To be clear, by "cyber attack" I am referring to the unauthorised external access or deliberate disruption of a computer system or a device owned and/or operated by your organisation. Types of cyber attack could include, but are not limited to: ransomware, denial of service, phishing and spear phishing.
By data, I refer to any information held on your computer systems or devices.
Please could you answer the following:-
1) Does your organisation keep an incident log of cyber attacks?
2) How many cyber attacks - attempted and successful - were recorded against your organisation in the last three financial years (ie 2014/15, 2015/16, 2016/17)?
3) Where cyber attacks were successful, what kind and amount of data, if any, was lost or stolen? Was it confidential?
For each case, please confirm:
4) The type of attack (eg ransomware, denial of service etc)
5) What demand, for example a Bitcoin payment, was made to resolve the attack? Did your organisation comply?
6) Whether the attack was reported to police or other responsible authority? To the best of your knowledge, was the attacker traced/convicted?
If possible, please provide this information in Excel spreadsheet format.
Email of 13 June 2017:
Thank you for your reply. I understand the restriction imposed by Section 12. Would it bring this request within the time limit if I restricted it to just the last financial year - ie March 2016 to April 2017?
If that does come within the time limit please treat this as a modified request on those lines.
Email of 14 June 2017:
Thanks for your reply. I would classify a successful cyber attack as an incident in which IT firewalls were breached and/or data held by OS was in any way compromised, for example by encryption or direct theft.
I'm not asking for information on attempted attacks in the sense that I imagine OS, in common with almost any organisation including my own, receives many attempted malicious emails almost daily but they are stopped by firewalls and other normal preventive measures.
I confirm that Ordnance Survey does hold the information you have requested. I am pleased to provide you with the [attached spreadsheet] which provides information on cyber attacks (in which IT firewalls were breached and/or data held by Ordnance Survey was in any way compromised) from March 2016 to April 2017, in relation to questions 2 to 6 of your original request (FOI77764). Please note we have provided the information for question 1 in our response to your original request (FOI17764) of 7 June 2017.
Your enquiry has been processed according to the Freedom of Information Act (FOIA) 2000. If you are unhappy with our response, you may request an internal review with our FOI Internal Review Officer, by contacting them as follows:
FOI Internal Review Officer
Customer Service Centre
Please include the reference number above. You may request an internal review where you believe Ordnance Survey has:
- Failed to respond to your request within the time limits (normally 20 working days)
- Failed to tell you whether or not we hold the information
- Failed to provide the information you have requested
- Failed to explain the reasons for refusing a request
- Failed to correctly apply an exemption or exception
The FOI Internal Review Officer will not have been involved in the original decision. They will conduct an independent internal review and will inform you of the outcome of the review normally within 20 working days, but exceptionally within 40 working days, in line with the Information Commissioner’s guidance.
The FOI Internal Review Officer will either: uphold the original decision, provide an additional explanation of the exemption/s applied or release further information, if it is considered appropriate to do so.
Appeal to Information Commissioner's Office (ICO)
If, following the outcome of the internal review you remain unhappy with our response, you may raise an appeal with the Information Commissioner’s Office at:
The Case Reception Unit
Customer Service Team
The Information Commissioner’s Office
Telephone helpline: 0303 123 1113 or 01625 545745 for advice, Monday to Friday.
Thank you for your enquiry.