Statistics on cyber attacks on Scottish public bodies: FOI release

Information requested

A breakdown of the number of cyberattacks against the Scottish Government and its agencies in each of the past five years showing:

1. The cost of dealing with the attack.
2. If data was breached/stolen.
3. Any ransom amounts paid to retrieve data.
4. The origin of each attack if known.

Response

The Scottish Government is not a formal reporting agency for cyber incidents/attacks, which means that agencies are not obliged to report any cyber incidents or attacks they experience to us. However, we encourage any Scottish public body that does experience a cyber incident to notify the Scottish Government under the voluntary Scottish Public Sector Cyber Incident Notification Procedure so that we can ensure that all relevant and necessary support can be provided. The notification procedure was launched in 2019.

The year-by-year notification under this procedure of incidents which directly affected public bodies and were deemed to be cyber-attacks is as follows:-

Year:	2020	2021	2022	2023	2024
Number of cyber-attacks on Scottish public bodies	11	10	8	10	16 (as of 7 November)

While our aim is to provide information to the public whenever possible, in this instance we are unable to provide some of the information you have requested because of exemptions under sections 30(c) and 17(1) of FOISA. The reasons why those exemptions apply are explained below.

Breakdown of which organisations suffered incidents/attacks over the five years - exempt under sections 30(c) (prejudice to effective conduct of public affairs).

Organisations report voluntarily to Scottish Government, and this allows us to effectively support them in their response to incidents and so that the whole sector can learn lessons. Disclosing information of this nature would undermine public bodies trust in Scottish Government, reduce the likelihood of them reporting to us and substantially prejudice our ability to effectively support the sector during cyber incidents.

Furthermore, revealing which organisations have experienced cyber attacks could help threat actors to map out security capabilities, enabling them to bypass any security controls. This knowledge could empower them to mount more effective and targeted attacks, significantly undermining the effective conduct of public affairs.

This exemption is subject to the ‘public interest test’. We recognise that there is some public interest in release in order to assure and inform the public about cyber security of the public sector but taking account of all the circumstances of this case, we have found that, on balance, the public interest lies in favour of applying this exemption to protect the confidentiality-based relationships across the sector and avoid increasing the risk of further and more damaging cyber attacks on the sector.

Information on points 1 to 4 (Costs, data breach/theft, ransom payments, origin of attack) - section 17(1) Information not held applies

The reason for this is that the Scottish Government is not a formal reporting agency for cyber-attacks or data breaches and therefore does not have procedures in place to manage and record specific detail on cyber attacks for all government bodies, beyond the basic notification information under the voluntary Scottish Public Sector Cyber Incident Notification Procedure.
However, on the issue of ransom payment, Scottish Government advice is that no public body should pay a ransom.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.gov.scot/foi-responses.