FOI reference - FOI 2017-06-08
Date - 08/06/2017
I would like to make a request under the Freedom of Information Act 2000 relating to cyber attacks on your organisation.
To be clear, by 'cyber attack' I am referring to the unauthorised external access or deliberate disruption of a computer system or a device owned and/or operated by your organisation. Types of cyber attack could include, but are not limited to: ransomware, denial of service, phishing and spear phishing.
By data, I refer to any information held on your computer systems or devices.
Please could you answer the following:
- Does your organisation keep an incident log of cyber attacks?
- How many cyber attacks - attempted and successful - were recorded against your organisation in the last three financial years (ie 2014/15, 2015/16, 2016/17)?
- Where cyber attacks were successful, what kind and amount of data, if any, was lost or stolen? Was it confidential?
For each case, please confirm:
- The type of attack (eg ransomware, denial of service etc).
- What demand, for example a Bitcoin payment, was made to resolve the attack? Did your organisation comply?
- Whether the attack was reported to police or other responsible authority? To the best of your knowledge, was the attacker traced/convicted?
I can confirm that we hold some of the information falling within scope of your request.
Information we are able to supply
I have answered your questions in turn below:
- We currently receive an anti-virus monthly summary report from our external provider (please see Table A for figures). In addition we maintain a log of events reported by individuals within the organisation; each event is logged with Action Fraud, our Public Services Network compliance partners and the security team at the Department for Work and Pensions.
- There has been one partially successful attack during the period stated in your request. For figures on attempts please see Table A.
- The partially achieved cyber attack was at the time found to be a new type of ransomware attack. The incident affected only one user account and demanded Bitcoin payment for the release of encrypted information. The attack encrypted a limited amount of restricted information relating to our function as The Pensions Regulator, but the information was not transferred out or copied from our systems.
Restricted information is defined at section 82(4) of the Pensions Act 2004 (PA04) as 'information obtained by the Regulator in the exercise of its functions which relates to the business or other affairs of any person’.
Under section 82(5) of the PA04 it is a criminal offence to disclose such information except as permitted under that Act.
|Year||Month||Total received Mail||Attempts detected||%|