Cyber attacks

Dear Luke Chafer
I acknowledge receipt of your email received by this office on 16 April 2024.
Your request will now be dealt with under the Freedom of Information Act 2000 and has been allocated reference FOI24-121 which should be quoted in all correspondence. We will respond to your request within 20 working days starting the next working day after receipt, therefore you can expect to receive a response no later than 15 May 2024.
In some circumstances a fee may be payable and, if that is the case, we will let you know. A fees notice will be issued to you, and you will be required to pay before we will proceed to deal with your request.

Finally, should you require the disclosure in an alternative format, e.g. screen reader accessible, large print etc, please let us know as soon as possible.

Yours sincerely

Swyddfa Ysgrifenydd y Brifysgol
Prifysgol Caerdydd
Ebost : [email address]

Mae'r Brifysgol yn croesawu gohebiaeth yn Gymraeg neu'n Saesneg. Ni fydd gohebu yn Gymraeg yn creu unrhwy oedi.

University Secretary's Office
Cardiff University
Email: [email address]

The University welcomes correspondence in Welsh or English. Corresponding in Welsh will not lead to any delay.

show quoted sections

Dear Luke Chafer

I am writing in response to your Freedom of Information request dated 16
April 2024

For ease of reference, I have reproduced your questions below and set out
our corresponding responses.

I would like to know how many successful cyber attacks - where research
has been compromised - have taken place in these years: 2023,2022,2021 and
2020.

I would like this broken down into academic department.

I would also like to know how many potential cyber attacks have been
prevented

I would also like to know how many instances has the origin of the attack
been found and if so where was it.

We would consider that to supply the information held would provide those
who are attempting to conduct cyber security attacks against universities
with useful information on the level of security within the University IT
systems. Those who have carried out attacks, including through malware
emails on the University systems would be able to determine the
effectiveness of such attacks and this could encourage further attacks or
different types of attacks. It is likely that these details could be used
in addition to other information already in the public domain which would
assist them to gain a wider understanding of the University systems.

Therefore, we consider that the information which we hold in regards to
any attacks and testing is exempt on the basis of Section 31(1)(a) of the
Freedom of Information Act 2000.  A response to an FOI request has to be
treated as a release of information into the public domain. The release of
such information may provide information which may prompt a change in
behaviour in an effort to avoid detection or give confidence to
individuals to continue the activity.  Providing this information to the
level requested would have a detrimental and prejudicial effect on the
prevention and detection of crime and the apprehension and prosecution of
offenders.

To give details on the successfulness of attacks would be likely to
provide information to malicious actors, and would also give individuals
an insight into the way that the University deals with cyber security
attacks and our recording of such incidents. In coming to this conclusion
the University has taken into consideration the ICO Decision notice
FS50665770 where UK Export Finance received similar requests for the
number of attacks and details of cyber security attacks.

Public Interest Test

Factors in favour of disclosure.

There is a general public interest in demonstrating transparency in
University activity to provide reassurance to the University community
that engagement is undertaken appropriately with law enforcement and other
bodies and action taken to reduce online crime.

Factors in favour of non-disclosure

There is a public interest in not disclosing information that would
compromise the integrity of police investigations and police operations in
the area of online crime. There is a public interest in not disclosing
information that would undermine the University's online security.

On balance the public interest is weighted in favour of non-disclosure.

I trust this information satisfies your enquiry.  Should you feel
dissatisfied with this response or the way in which your request was
handled you can request an Internal Review. This should be made in writing
within 40 working days of the date of this email. Please provide your
unique reference number of your request, information on why you are
dissatisfied and any detail you would like us to consider as part of the
Internal Review process. Email your request to
[1][email address] where it will be forwarded to the
University’s Data Protection Officer who will be responsible for
overseeing the review.

If you remain dissatisfied following the outcome, you have the right to
apply directly to the Information Commissioner for consideration.  The
Information Commissioner can be contacted at the following address:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF.

I would like to take this opportunity to thank you for your interest in
Cardiff University. If you require further assistance, please feel free to
contact me.

Kind regards,

Swyddfa Ysgrifenydd y Brifysgol University Secretary’s Office

Prifysgol Caerdydd Cardiff University

Ebost : [2][email address] Email: [3][email address] 
 
 
 
The University welcomes
Mae'r Brifysgol yn croesawu correspondence in Welsh or English. 
gohebiaeth yn Gymraeg neu'n Saesneg.  Corresponding in Welsh will not lead
Ni fydd gohebu yn Gymraeg yn creu to any delay.
unrhwy oedi.

References

Visible links
1. mailto:[email address]
2. mailto:[email address]
3. mailto:[email address]