Ransomware incidents (FOI211034)

This Freedom of Information request asks for details relating to ransomware incidents

Request for information - Ref no: FOI211034

October 6, 2021

Information request

Thank you for your email of 31 August 2021, requesting information from Ordnance Survey in accordance with the Freedom of Information Act (FOIA) 2000, as set out in the extract below:

“I am writing to you under the Freedom of Information Act 2000 to request the following information from Ordnance Survey. Please can you answer the following questions:


1. In the past three years has your organisation:

a. Had any ransomware incidents? (An incident where an attacker attempted to, or successfully, encrypted a computing device within your organisation with the aim of extorting a payment or action in order to decrypt the device? )
i. If yes, how many?

b. Had any data rendered permanently inaccessible by a ransomware incident (i.e. some data was not able to be restored from back up.)

c. Had any data rendered permanently inaccessible by a systems or equipment failure (i.e. some data was not able to be restored from back up.)

d. Paid a ransom due to a ransomware incident / to obtain a decryption key or tool?
i. If yes was the decryption successful, with all files recovered?

e. Used a free decryption key or tool (e.g. from https://www.nomoreransom.org/)?
i. If yes was the decryption successful, with all files recovered?

f. Had a formal policy on ransomware payment?
i. If yes please provide, or link, to all versions relevant to the 3 year period.

g. Held meetings where policy on paying ransomware was discussed?

h. Paid consultancy fees for malware, ransomware, or system intrusion investigation
i. If yes at what cost in each year?

i. Used existing support contracts for malware, ransomware, or system intrusion investigation?

j. Requested central government support for malware, ransomware, or system intrusion investigation?

k. Paid for data recovery services? i. If yes at what cost in each year?

l. Used existing contracts for data recovery services?

m. Replaced IT infrastructure such as servers that have been compromised by malware?
i. If yes at what cost in each year?

n. Replaced IT endpoints such as PCs, Laptops, Mobile devices that have been compromised by malware?
i. If yes at what cost in each year?

o. Lost data due to portable electronic devices being mislaid, lost or destroyed?
i. If yes how many incidents in each year?

2. Does your organisation use a cloud based office suite system such as Google Workspace (Formerly G Suite) or Microsoft’s Office 365?
a. If yes is this system’s data independently backed up, separately from that platform’s own tools?

3. Is an offsite data back-up a system in place for the following? (Offsite backup is the replication of the data to a server which is separated geographically from the system’s normal operating location site.)

a. Mobile devices such as phones and tablet computers
b. Desktop and laptop computers
c. Virtual desktops
d. Servers on premise
e. Co-located or hosted servers
f. Cloud hosted servers
g. Virtual machines
h. Data in SaaS applications
i. ERP / finance system
j. We do not use any offsite back-up systems

4. Are the services in question 3 backed up by a single system or are multiple systems used?

5. Do you have a cloud migration strategy? If so is there specific budget allocated to this?

6. How many Software as a Services (SaaS) applications are in place within your organisation?

a. How many have been adopted since January 2020?”

Our response

I confirm that Ordnance Survey considers the information requested at questions 1-4, as set out in the extract of your request above, to be exempt from disclosure under Section 31 (Law Enforcement) of the Freedom of Information Act (FOIA) 2000, as explained below:

Section 31(3)
We neither confirm nor deny that we hold the requested information falling within questions 1-4 of your request, set out above.

The duty in Section 1(1)(a) of the FOIA to confirm whether or not OS holds the information, does not apply, by virtue of Section 31(3) of that Act. This should not be taken as an indication that the information you requested is or is not held by us.
Section 31(3) provides an exclusion from the requirement to confirm or deny whether information described in a request is held if to do so would, or would be likely to, prejudice any of the functions in sections 31(1), the relevant matter in this request are those set out at section 31(1)(a), the prevention and detection of crime, as explained below:

Section 31(1)(a)
Section 31(1)(a) exempts information if its disclosure would or would be likely to prejudice the prevention and detection of crime. In this case, we consider that disclosure of the information would be likely to make OS more vulnerable to crime; namely a malicious attack on our computer systems. Disclosure of the information would comprise measures to protect our systems, leaving us vulnerable to attack. It would be likely to assist someone in determining the level of effectiveness of detecting and defending against such attacks, and would be likely to assist a determined attacker, and be a real and significant risk to our computer and security systems.

This is a qualified exemption, and we are required to consider the public interest.

Public Interest Test
OS recognises the need for transparency; and that there is a public interest in knowing that OS has measures in place to prevent against such attacks and protect information; however, confirming whether or not we hold this information would mean our computer systems and security systems would be more vulnerable to malicious attacks, therefore facilitating the possibility of crime.

Section 31(1)(a) is a prejudice-based exemption, and there is a public interest inherent in avoiding the harm specified. OS considers that the prejudice would be likely to occur, and we are satisfied there is a greater public interest in protecting our computer systems and IT security systems by withholding the information under this exemption.

I confirm that OS does hold the information requested at questions 5 and 6, in the extract of your request above, and respond as follows (the questions have been set out in bold below with our responses underneath for ease of reference):

Do you have a cloud migration strategy? If so is there specific budget allocated to this?
I confirm OS has a cloud migration strategy. I confirm there is an ongoing budget set aside annually to mature and enhance use of the cloud platform.

How many Software as a Services (SaaS) applications are in place within your organisation?
OS subscribes to 69 SaaS applications

How many have been adopted since January 2020?
23 have been ‘implemented’ since January 2020.

All information requests

See our previous responses to Freedom of Information (FOI) requests.

Can't find what you need?

Contact us directly to speak to our friendly customer service team.