Ransomware attacks (FOI211040)

This Freedom of Information request asks for details relating to ransomware attacks

Request for information - Ref no: FOI211040

October 12, 2021

Information request

Thank you for your email of 24/09/2021, requesting information from Ordnance Survey in accordance with the Freedom of Information Act (FOIA) 2000, as set out in the extract below:   

“I would like to know the following under the Freedom of Information Act. Over the last five years,    

  •  How many times has your organisation suffered a ransomware attack?
  • Please detail the number of successful and unsuccessful attacks    
  • In the case of successful attacks, how much downtime did each cause
  • Did you pay the ransom?
  • How much did the ransom cost?” 

Our response

 I confirm that Ordnance Survey considers the information requested, as set out in the extract of your request above, to be exempt from disclosure under Section 31 (Law Enforcement) of the Freedom of Information Act (FOIA) 2000, as explained below: 

Section 31(3)

We neither confirm nor deny that we hold the requested information.  The duty in Section 1(1)(a) of the FOIA to confirm whether or not OS holds the information, does not apply, by virtue of Section 31(3) of that Act.  This should not be taken as an indication that the information you requested is or is not held by us.    

Section 31(3) provides an exclusion from the requirement to confirm or deny whether information described in a request is held if to do so would, or would be likely to, prejudice any of the functions in sections 31(1), the relevant matter in this request is, those set out at section 31(1)(a), the prevention and detection of crime, as explained below:    

Section 31(1)(a)

Section 31(1)(a) exempts information if its disclosure would or would be likely to prejudice the prevention and detection of crime.  In this case, we consider that disclosure of the information would be likely to make OS more vulnerable to crime; namely a malicious attack on our computer and security systems.    

Disclosure of the information would comprise measures to protect our security systems, jeopardising our computer and security and therefore leaving us vulnerable to attack.  It would be likely to assist someone in determining the level of effectiveness of detecting and defending against such attacks, and would be likely to assist a determined attacker, by allowing them to evaluate any vulnerability’s which may or may not exist, and the likelihood of whether a ransom payment would be provided. We consider that disclosing this type of insight into our  security systems, would create a real and significant risk to our computer and security systems.    

This is a qualified exemption, and we are required to consider the public interest.  

Public Interest Test

OS recognises the need for transparency; and that there is a public interest in knowing that OS has measures in place to prevent against such attacks and protect information; however, confirming whether or not we hold this information would mean our computer systems and security systems would be more vulnerable to malicious attacks, therefore facilitating the possibility of crime.    

Section 31(1)(a) is a prejudice-based exemption, and there is a public interest inherent in avoiding the harm specified.  OS considers that the prejudice would be likely to occur, and we are satisfied there is a greater public interest in protecting our computer systems and security systems by withholding the information under this exemption. 

All information requests

See our previous responses to Freedom of Information (FOI) requests.

Can't find what you need?

Contact us directly to speak to our friendly customer service team.