A report of the numbers of house of commons email accounts which have been hacked in the last 12 months

Gwrthodwyd y cais gan Tŷ'r Cyffredin.

Dear House of Commons,

Please could you provide a weekly breakdown of the numbers of successful attempts to hack or access email accounts provided to MPs in the year to September 6 2017.

Could you also provide the numbers of referrals by week to the police for investigation.

Yours faithfully,

James Wild

FOI Commons, Tŷ'r Cyffredin

1 Atodiad

Dear Mr Wild,

 

Freedom of Information request F17-365

 

Thank you for your request for information dated 7 September 2017,
received by us on the same date, which is copied below.

 

We will endeavour to respond to your request promptly but in any case
within 20 working days i.e. on or before 5 October 2017.

 

If you have any queries about your request, please use the request number
quoted above and in the subject line of this email.

 

Yours sincerely,

 

Sarah Price

IRIS Support Officer
Information Rights and Information Security (IRIS) Service | House of
Commons

 

[1]cid:image002.jpg@01D02B64.34D76640

Click [2]here for details about Freedom of Information

in the House of Commons and to see what we publish.

 

 

 

 

 

FOI Commons, Tŷ'r Cyffredin

1 Atodiad

Dear Mr Wild,

 

 

Freedom of Information request F17-365

 

Thank you for your request for information. You asked two questions about
attempts to hack or access email accounts provided to Members, which we
have sought to answer below.

 

Please note, whilst the House of Commons and the House of Lords are
separate public authorities in accordance with the Freedom of Information
Act 2000 (FOIA), the Parliamentary Digital Service (PDS) is a joint
service providing information and communications technology services for
both Houses of Parliament. The information below covers both Houses and
all users of the parliamentary network e.g. MPs, Members of the House of
Lords, their staff, staff of the House Administrations.

 

1)  Please could you provide a weekly breakdown of the numbers of
successful attempts to hack or access email accounts provided to MPs in
the year to September 6 2017.

 

A cyber-attack incident occurred in June 2017 resulting in a breach to a
number of parliamentary email accounts of staff of the Houses of Commons
and Lords, Members, Members’ staff as well as Members of the House of
Lords and Lords’ staff.  More detailed information about this breach is
available on the parliamentary website here:
[1]http://www.parliament.uk/mps-lords-and-o....

 

Other than this, the House neither confirms nor denies whether or not the
requested information relating to cyber-attacks, and attempts to target
parliamentary email accounts, is held.  In refusing to confirm or deny
this, the House relies on section 24(2) of the FOIA that to confirm or
deny would, or be would be likely to, undermine the safeguarding of
national security. The House also relies on section 31(3) of the FOIA that
confirmation or denial would, or would be likely to, prejudice the
administration of justice (as set out in s.31(1)(c)).  We have considered
the public interest test and in this case, the public interest in avoiding
prejudice to these matters prevails. Details of these exemptions are
provided below.

 

Section 24 (Safeguarding national security)

Any information held relating to the above request would be withheld under
section 24(1) of the FOIA, as the House considers that confirming or
denying whether the requested information is held would be likely to
undermine the safeguarding of national security. This is a qualified or
non-absolute exemption and the public interest test applies.

The public interest in favour of disclosure is to ensure that the UK’s
national security is maintained by the provision of adequately robust and
secure defenses against cyber-criminals. 

However, whilst there may be a public interest in access to this
information, the countervailing argument is that by confirming or denying
whether hacks to the parliamentary computer network have occurred, and
whether Members email accounts have been targeted, we could potentially
reveal information about the sophistication of Parliament’s IT systems and
processes. This could highlight vulnerabilities in our networks and enable
individuals to determine how successful Parliament is in detecting these
hacks, or attempted hacks. Groups planning attacks are known to conduct
extensive research into the opposition they might face, and to confirm or
deny that the requested information is held, could potentially provide
those groups or individuals with an indication of where to focus their
efforts when targeting our systems, and therefore significantly impact on
national security. As understanding of cyber security becomes more
sophisticated, information relating to cyber-attacks and breaches, and
attempts to target email accounts, could be used for exploiting potential
weaknesses in the parliamentary IT security arrangements and result in an
increase in the number of attacks to the network. Whilst there may be a
public interest in access to this information, it is considered that in
this case it is not in the wider public interest to confirm or deny
whether this information is held, as there is a risk of national security
being compromised.

 

Section 31 (Law enforcement)

 

Any information held relating to the above request would also be withheld
under section 31(1) (a) of the FOIA as the House considers that confirming
or denying whether the requested information is held would be likely to
prejudice the prevention or detection of crime. This is a qualified or
non-absolute exemption and the public interest test applies.

There is a strong public interest in protecting the ability of public
authorities to enforce the law.  It is also in the public interest to
ensure transparency in the way the House of Commons ensures its IT systems
and processes are adequately robust and secure.

However, this is outweighed by the risks of criminal activity being
undertaken if the information was disclosed. Whilst there may be a public
interest in access to this information, by confirming or denying that the
parliamentary network has been targeted, or email accounts hacked, as a
result of cyber-attacks, could potentially assist those parties planning
to launch a criminal attack on Parliament to more accurately target our
networks and would reveal details on the sophistication of Parliament’s IT
systems and processes. This could potentially highlight vulnerabilities in
our networks and provide individuals with an indication of where to focus
their efforts when targeting our systems. Additionally, this information
could assist a criminal to determine if their hacks, or their attempts to
target the system, had been detected or not, and so would enable
individuals to understand how successful Parliament’s IT security systems
are in detecting these attacks. By disclosing whether there had been any
attacks to the network, we would fail in our duty to help prevent
potential future criminal attacks on our IT network, which in turn would
fail in our duty to assist those services providing us with law
enforcement. In these circumstances it is our view that the public
interest in maintaining the exemption outweighs the public interest in
disclosing the information.

 

Please note, we do not hold information on attempts to hack Members
non-parliamentary email accounts. This would be held by the individual
Member, and not the House of Commons. You may wish to consider contacting
Members individually to ask for the information you seek, contact details
are available at: [2]http://www.parliament.uk/mps-lords-and-o...
However, please note, Members of Parliament are not public authorities for
the purposes of the Freedom of Information Act.  This means that they are
not obliged to respond to requests made under the Act.  Similarly, the Act
does not apply to political parties.

 

 

2)  Could you also provide the numbers of referrals by week to the police
for investigation.

 

This information is not held by the House of Commons.

 

If a MP suspects criminal activity has taken place, and subsequently
contacts the police, the House of Commons would not hold or have access to
this information. This would be held by the Member, and as previously
explained, you may wish to consider contacting Members individually to ask
for the information you seek, contact details are available at:
[3]http://www.parliament.uk/mps-lords-and-o...

 

Additionally, information relating to your request may be held by the
Metropolitan Police Service and you may therefore wish to consider
submitting your request to them.  The contact details of the Metropolitan
Police FOI team are here: [4]http://www.met.police.uk/foi/contact_us....

 

 

You may, if dissatisfied with the handling of your request, complain to
the House of Commons. Alternatively, if you are dissatisfied with the
outcome of your request you may ask the House of Commons to conduct an
internal review of any decision regarding your request. Complaints or
requests for internal review should be addressed to: Information Rights
and Information Security Service, Research and Information Team, House of
Commons, London SW1A 0AA or [5][House of Commons request email].  Please ensure
that you specify the full reasons for your complaint or internal review
along with any arguments or points that you wish to make.

 

If you remain dissatisfied, you may appeal to the Information Commissioner
at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF,
[6]www.ico.gov.uk.

 

Yours sincerely,

 

Lauren

 

 

Lauren Puckey | IRIS Officer
Information Rights and Information Security (IRIS) Service | House of
Commons

 

[7]cid:image002.jpg@01D02B64.34D76640

Click [8]here for information about FOI in the House of Commons,

or to see what we publish.