Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.


This website requires cookies. Your browser currently has cookies disabled.

Details of cyber attacks on TPR

FOI reference - FOI 2017-06-08
Date - 08/06/2017


I would like to make a request under the Freedom of Information Act 2000 relating to cyber attacks on your organisation.

To be clear, by 'cyber attack' I am referring to the unauthorised external access or deliberate disruption of a computer system or a device owned and/or operated by your organisation. Types of cyber attack could include, but are not limited to: ransomware, denial of service, phishing and spear phishing.

By data, I refer to any information held on your computer systems or devices.

Please could you answer the following:

  1. Does your organisation keep an incident log of cyber attacks?
  2. How many cyber attacks - attempted and successful - were recorded against your organisation in the last three financial years (ie 2014/15, 2015/16, 2016/17)?
  3. Where cyber attacks were successful, what kind and amount of data, if any, was lost or stolen? Was it confidential?

For each case, please confirm:

  • The type of attack (eg ransomware, denial of service etc).
  • What demand, for example a Bitcoin payment, was made to resolve the attack? Did your organisation comply?
  • Whether the attack was reported to police or other responsible authority? To the best of your knowledge, was the attacker traced/convicted?


I can confirm that we hold some of the information falling within scope of your request.

Information we are able to supply

I have answered your questions in turn below:

  1. We currently receive an anti-virus monthly summary report from our external provider (please see Table A for figures). In addition we maintain a log of events reported by individuals within the organisation; each event is logged with Action Fraud, our Public Services Network compliance partners and the security team at the Department for Work and Pensions.
  2. There has been one partially successful attack during the period stated in your request. For figures on attempts please see Table A.
  3. The partially achieved cyber attack was at the time found to be a new type of ransomware attack. The incident affected only one user account and demanded Bitcoin payment for the release of encrypted information. The attack encrypted a limited amount of restricted information relating to our function as The Pensions Regulator, but the information was not transferred out or copied from our systems.

Restricted information is defined at section 82(4) of the Pensions Act 2004 (PA04) as 'information obtained by the Regulator in the exercise of its functions which relates to the business or other affairs of any person’.

Under section 82(5) of the PA04 it is a criminal offence to disclose such information except as permitted under that Act.

Table A

Year  Month  Total received Mail  Attempts detected   % 
2015 June 107,701 2,161 2.01
2015  July 166,763  3,350 2.01
2015 August 150,775 5,041 3.34
2015 September 153,748 142 0.09
2015 October 207,467 2,904 1.39
2015 November 134,506 6,554 4.87
2016 January 118,034 6,017 5.09
2016 February 134,455 7,332 5.45
2016 March 129,576 1,825 1.41
2016 April 134,425 1,083 0.81


113,364 838 0.74
2016 June 112,135 230 0.21
2016 July 110,236 441 0.40
2016 August 102,786 374 0.36
2016 September 109,895 264 0.24
2016 October 119,554 151 0.13
2016 November 123,474 694 0.56
2016 December 110,310 261 0.24
2017  January  113,547   45  0.04 
2017 February  110,793  107  0.09
2017 March  132,365   199  0.15 
2017  April  111,447   188  0.17