Cyber Security breaches (FOI2611)

Cyber Security breaches

Request for information - Ref no: FOI2611

24 April 2026

Information request

We received your request on 4 April 2026.

We have handled your request under the Freedom of Information Act (FOIA) 2000.

A copy of your request is set out in the extract below:

“I would like to request the following information for each calendar year from 2020 to 2026 inclusive:

The number of cyber security breaches that have being identified that were found to be a result of a malicious threat actor (i.e. not accidental data breach)
The breakdown in high-level causes of these breaches as identified by cyber security incident response teams (CSIRTs), for example (but not limited to) unpatched software/hardware, lack of multi-factor authentication (MFA), leaked user credentials, lack of in-transit encryption, etc
The number of breaches that occurred that were attributed to a previously known vulnerability to the organisations hardware, software, policies, or processes, for example where system was known to be at risk due to being unpatched or out of support, or security controls were recommended but not enforced, and was defined within the resulting incident response report.
The estimated combined costs incurred as a result of cyber security breaches defined in request number one in each year.”

Our response

In accordance with section 31(3) of the Freedom of Information Act (FOIA) 2000 (the Act), we neither confirm nor deny that we hold the information you have requested.

Section 31(3)

The duty in Section 1(1)(a) of the Act does not apply by virtue of Section 31(3), which provides an exclusion from the requirement to confirm or deny whether the information is held if to do so would, or would be likely to, prejudice any of the matters mentioned in section 31(1).

Section 31(1)(a) (Prejudice the prevention or detection of crime)

We have determined that confirming or denying whether the information you request is held would be likely to prejudice the prevention of crime as the information would aid cyber criminals and would be likely to make us more vulnerable to a cyber attack.

By merely confirming whether we hold information regarding the number and type of cyber security breaches would provide cyber criminals with valuable information regarding the sophistication of our cyber security protection. For example, if we confirm we hold information about the number of attacks, it indicates we are monitoring this; if we state we do not hold the information, it will disclose a potential vulnerability.

This should not be taken as an indication that the information you requested is or is not held by us.

Our responses under the Freedom of Information Act are public information, made to the world at large, so we must consider the effect of attackers combining information to build up a map of our cyber security systems.

Section 31 is a qualified exemption and so we are required to weigh the public interest in maintaining our neither confirm nor deny position against the public interest in disclosure.

Public Interest Test

We recognise the need for transparency; and that there is a public interest in knowing that OS has measures in place to protect information. Disclosing whether we hold the information would reassure the public that we take protection of our systems and information seriously.

However, confirming whether or not we hold this information would mean that our computer and security systems would be more vulnerable to malicious attacks.

Ordnance Survey provides essential geospatial data to public sector organisations, including assisting police forces and other emergency services. Therefore, our data plays an important role in enabling public safety. If our systems are compromised or taken out of operation, this would significantly impair our ability to provide up-to-date geospatial data, impacting the delivery of public services which depend upon our data.

Conclusion

We have concluded that the public interest in maintaining the exemption in order to reduce the risk of cyber attacks and ensure the continued availability of essential geospatial data, outweighs the public interest in transparency.

Next steps

Internal review

If you are unhappy with our response, you may request an internal review with our Internal Review Officer by contacting them, within two months of receipt of our final response to your request, as follows:

Internal Review Officer
Customer Service Centre
Ordnance Survey
Adanac Drive
Southampton
SO16 0AS

Please include the reference number above. You may request an internal review where you believe Ordnance Survey has:

Failed to respond to your request within the time limits (normally 20 working days)
Failed to tell you whether or not we hold the information
Failed to provide the information you have requested
Failed to explain the reasons for refusing a request
Failed to correctly apply an exemption or exception

The Internal Review Officer will not have been involved in the original decision. They will conduct an independent internal review and will inform you of the outcome of the review normally within 20 working days, but exceptionally within 40 working days, in line with the Information Commissioner’s guidance.

The Internal Review Officer will either: uphold the original decision, provide an additional explanation of the exemption/s applied or release further information, if it is considered appropriate to do so.

Appeal to Information Commissioner’s Office (ICO)

If, following the outcome of the internal review you remain unhappy with our response, you may raise an appeal, within three months of receiving our response, with the Information Commissioner’s Office (ICO). You should make complaints to the ICO within six weeks of receiving the outcome of an internal review.

Visit the ICO website to report a concern.

Call the ICO helpline on 0303 123 1113.

All information requests

See our previous responses to Freedom of Information (FOI) requests.

Search for FOI responses