Cyber Security
Dear Cardiff University,
Please could you kindly provide me the following information regarding your cyber security:
• How many reported cybercrime incidents occurred in 2022, 2023 and 2024.
• How do you measure the criticality of reported cybercrime incidents. I.e., what constitutes a low, medium, or high incident.
• What percentage of cybercrime incidents were recorded as “high” or “critical” in accordance with your internal triage system.
• How many incidents over the period of 20-22 and 20-24 resulted in a data breach of information relating to staff or students.
• How much funding was allocated to cyber security protection in 2022, 2023 and 2024
Yours faithfully,
Chloe Seaton
Dear Chloe Seaton
I acknowledge receipt of your two emails received by this office on 21 November 2024 in which you requested information regarding Cybersecurity.
As your requests relate to similar information they have been aggregated and will be dealt with as one request under the Freedom of Information Act 2000 under reference FOI24-418 which should be quoted in all correspondence.
For your information, the Freedom of Information Fees Regulations state that two or more requests to one public authority can be aggregated for the purposes of calculating costs if they are:
* by one person, or by different persons who appear to the public authority to be acting in concert or in pursuance of a campaign;
* for the same or similar information; and
* the subsequent request is received by the public authority within 60 working days of the previous request.
We will respond to your request within 20 working days starting the next working day after receipt, therefore you can expect to receive a response no later than 20 December 2024.
Where we consider that we will not be able to meet this deadline or if further time is required to consider the public interest test we will contact you as soon as possible and give you a revised date for response.
In some circumstances a fee may be payable and, if that is the case, we will let you know. A fees notice will be issued to you, and you will be required to pay before we will proceed to deal with your request.
Finally, should you require the disclosure in an alternative format, e.g. screen reader accessible, large print etc, please let us know as soon as possible.
Yours sincerely
Swyddfa Ysgrifenydd y Brifysgol
Prifysgol Caerdydd
Ebost : [email address]
Mae'r Brifysgol yn croesawu gohebiaeth yn Gymraeg neu'n Saesneg. Ni fydd gohebu yn Gymraeg yn creu unrhwy oedi.
University Secretary's Office
Cardiff University
Email: [email address]
The University welcomes correspondence in Welsh or English. Corresponding in Welsh will not lead to any delay.
Dear Chloe,
I am writing in response to your Freedom of Information request dated 21st
November 2024
For ease of reference, I have reproduced your questions below and set out
our corresponding responses.
1. How many reported cybercrime incidents occurred in 2022, 2023 and
2024.
Cardiff University neither confirms nor denies that it holds information
falling within the description specified in your request. The duty in
Section 1(1)(a) of the Freedom of Information Act 2000 does not apply, by
virtue of and 31(3) of that Act (Law Enforcement). This should not be
taken as an indication that the information you requested is or is not
held by the University.
2. How do you measure the criticality of reported cybercrime incidents.
I.e., what constitutes a low, medium, or high incident.
3. What percentage of cybercrime incidents were recorded as “high” or
“critical” in accordance with your internal triage system.
The University confirms it holds this information. However, we would
consider that to supply the information held would provide those who are
attempting to conduct cyber security attacks against universities with
useful information on the level of security within the University IT
systems. Those who have carried out attacks, including through malware
emails on the University systems would be able to determine the
effectiveness of such attacks and this could encourage further attacks or
different types of attacks. It is likely that these details could be used
in addition to other information already in the public domain which would
assist them to gain a wider understanding of the University systems.
Therefore, we consider that the information which we hold in regards to
any attacks and testing is exempt on the basis of Section 31(1) (a) and
(b) of the Freedom of Information Act 2000. A response to an FOI request
has to be treated as a release of information into the public domain. The
release of such information may provide information which may prompt a
change in behaviour in an effort to avoid detection or give confidence to
individuals to continue the activity. Providing this information to the
level requested would have a detrimental and prejudicial effect on the
prevention and detection of crime and the apprehension and prosecution of
offenders.
To give details on the successfulness of attacks would be likely to
provide information to malicious actors, and would also give individuals
an insight into the way that the University deals with cyber security
attacks and our recording of such incidents. In coming to this conclusion
the University has taken into consideration the ICO Decision notice
FS50665770 where UK Export Finance received similar requests for the
number of attacks and details of cyber security attacks.
Public Interest Test
Factors in favour of disclosure.
There is a general public interest in demonstrating transparency in
University activity to provide reassurance to the University community
that engagement is undertaken appropriately with law enforcement and other
bodies and action taken to reduce online crime.
.
Factors in favour of non-disclosure
There is a public interest in not disclosing information that would
compromise the integrity of police investigations and police operations in
the area of online crime. There is a public interest in not disclosing
information that would undermine the University's online security.
The release of such information may disrupt law enforcement activity by
prompting a change in behaviour in an effort to avoid detection or giving
confidence to individuals to continue the activity. Providing this
information would have a detrimental effect on the prevention and
detection of crime and the apprehension and prosecution of offenders.
On balance the public interest is weighted in favour of non-disclosure
4. How many incidents over the period of 20-22 and 20-24 resulted in a
data breach of information relating to staff or students.
Please see our response to question 1.
5. How much funding was allocated to cyber security protection in 2022,
2023 and 2024
Please see our response to questions 2 & 3.
I trust this information satisfies your enquiry. Should you feel
dissatisfied with this response or the way in which your request was
handled you can request an Internal Review. This should be made in writing
within 40 working days of the date of this email. Please provide your
unique reference number of your request, information on why you are
dissatisfied and any detail you would like us to consider as part of the
Internal Review process. Email your request to [1][email address] where it
will be forwarded to the University’s Data Protection Officer who will be
responsible for overseeing the review.
If you remain dissatisfied following the outcome, you have the right to
apply directly to the Information Commissioner for consideration. The
Information Commissioner can be contacted at the following address:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF.
I would like to take this opportunity to thank you for your interest in
Cardiff University. If you require further assistance, please feel free to
contact me.
Kind regards,
Swyddfa Ysgrifenydd y Brifysgol University Secretary’s Office
Prifysgol Caerdydd Cardiff University
Ebost : [2][email address] Email: [3][email address]
Mae'r Brifysgol yn croesawu The University welcomes correspondence
gohebiaeth yn Gymraeg neu'n in Welsh or English. Corresponding in
Saesneg. Ni fydd gohebu yn Gymraeg Welsh will not lead to any delay.
yn creu unrhwy oedi.
References
Visible links
1. mailto:[email%20address]
2. mailto:[email%20address]
3. mailto:[email%20address]
We work to defend the right to FOI for everyone
Help us protect your right to hold public authorities to account. Donate and support our work.
Donate Now