Cyber Security

The request was refused by Wirral Metropolitan Borough Council.

Dear Wirral Metropolitan Borough Council,

A Wirral Council Corportal Risk register cites Cyber Security as a major risk to the organisation.

https://democracy.wirral.gov.uk/document...

From August 1 2022 to August 9 2023 (or the latest available data):

1. How many attempts are made to gain unauthorised access to council systems? And who was behind them?

2. Were any of these attempts successful?

3. Was there any data breaches or loss of access to data as a result? What data was compromised?

4. Was there any disruption to council services?

5. What were the financial repercussions of any such data breaches?

6. For successful attempts, when was unauthorised access gained and when did the council become aware unauthorised access was gained?

If breaches did occur, I would like a full breakdown of questions 3 to 6 for each incident.

Yours faithfully,

Ed Barnes

InfoMgr, FinDMT,

[FOI #1013602 email]
Dear Mr Barnes

We write further to your information request regarding cyber attacks on the Council's systems.

Wirral Council relies upon Section 31 of the Freedom of Information Act 2000 and declines to provide a response to this request. Section 31 (law enforcement) states that information is exempt information if its disclosure would, or would be likely to, prejudice the prevention or detection of crime.

Although there is a general public interest in openness (because this increases public trust and engagement), this public interest should be weighed against a very strong public interest in safeguarding the security of council specific systems. It is not in the interests of an individual council to provide information about the number of attacks that may or may not have been made against its IT systems. This could enable individuals to deduce how successful the Council is in detecting these attacks and incurring this risk cannot be considered to be in the public interest.

In this instance, the Council can neither confirm nor deny whether details about numbers and types of cyber-attacks are held under Section 31(3) of the Freedom of Information Act 2000. Confirming or denying whether information is held on cyber-attacks and what remedial measures may or may not have been taken could aid malicious parties by encouraging further attacks. Attacks on IT systems are criminal offences, so to provide information or confirmation of information being held might prejudice the prevention of crime by facilitating the possibility of an offence being carried out. There is a very strong public interest in the effectiveness of law enforcement and the prevention of crime.

You have the right under Section 17 of the Freedom of Information Act 2000 to ask for an internal review of this decision. Please direct any request for an internal review to [Wirral Borough Council request email] and your request will be allocated for review. If you are dissatisfied with the outcome of an internal review you also have the right to complain to the information Commissioner, who can be contacted at: https://ico.org.uk/global/contact-us/

Yours sincerely

Lynette Paterson
Principal Information Management Officer
Resources – Digital and Improvement
Wirral Council
PO Box 290
Brighton Street
Wallasey
CH27 9FQ

Email: [Wirral Borough Council request email]

Visit our website: www.wirral.gov.uk

show quoted sections