Breakdown of malicious emails

Request

Please find below my FOI request regarding malicious emails sent to the department.

The date range for the requests is from 2018 to present day. The data shall include a breakdown by year and by individual departments (e.g. separate departments, agencies, or public bodies within the main government agency), if applicable.

  1. How many malicious emails have been successfully blocked?

  2. What percentage of malicious emails were opened by staff?

  3. What percentage of malicious links in the emails were clicked on by staff?

  4. How many ransomware attacks were blocked by the department?

  5. How many ransomware attacks were successful?

Response

I can confirm that we hold information relevant to your request, but it is subject to a Refusal Notice under sections 24(1), 31(1) and 38(1)(b) of the FOIA.

Section 24(1) – national security

This exemption allows for information to be exempt from disclosure if it is required for the purpose of safeguarding national security. Safeguarding national security refers not only to the security of the UK, but also cooperation between other states in combating international terrorism and guarding against actions which may have an impact on the UK and its citizens. The impact does not have to be direct or immediate, and the organisation concerned does not have to be a security body.

If IPSA were to provide within the scope of the request it could leave the organisation vulnerable to cyber-attacks. A consequence of this could be the loss of information about the work of IPSA, as well as the personal data of IPSA staff, MPs and their staff and other individuals with whom IPSA has contact, falling into unscrupulous hands.

Article 5(1)(f) of the UK GDPR states that personal data shall be

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

IPSA would therefore look to minimise the risk of personal data as it could face enforcement action under the UK GDPR.

Cyber-attacks could also result in IPSA being unable to carry out its day-to-day business of processing payments for MPs’ business expenses and responding to MP queries as it could be unable to access its systems or be forced to take them offline. This would have a further consequence of MPs’ being able to carry out their parliamentary duties effectively, which may have an impact on those they help as well as an impact on UK democracy.

Section 31(1)(a) – law enforcement

This exemption applies where disclosure of information would or would be likely to prejudice the prevention and detection of crime. The exemption can be applied to public authorities without any specific law enforcement responsibilities and to withhold information that would make anyone, including the public authority itself, more vulnerable to crime.

In relying on this exemption IPSA considers the implication of the financial information and other personal data, including home addresses falling into the wrong hands. IPSA holds this information not only for its own staff but also for MPs and their staff. Disclosure could result in individuals being victims of fraud or other types of criminal activity.

Section 38(1)(b) – health and safety

This exemption applies where the disclosure of information would or would be likely to endanger the safety of any individual. IPSA’s reliance on this exemption is linked to the use of section 31(1)(a) as any risk of physical crime could also result in a risk to the safety of individuals. IPSA is particularly aware of the risk to MPs and their staff with the first six months of 2021 showing an increase in media reporting on the threats to MPs and their staff. Not all reports are related to physical attacks, but the fear which can be felt from receiving a threat can be equally as damaging both mentally and physically. The death of MP, Sir David Amess highlighted the impact when the threat of physical attack becomes a reality.

Public interest considerations

All three exemptions are subject to a consideration of the public interest test. IPSA understands how disclosure of this information would enable the public to understand the extent of cyber-attacks experienced by IPSA and the resilience of its systems, which could go some way in reassuring the public.

However, the disclosure of this information could also demonstrate potential vulnerabilities, as well exposing individuals, in particular, MPs and their staff to financial or physical attacks. MPs and their staff have difficult jobs and IPSA is aware that the decision to disclose, with the potential risks could make it more difficult for them to fulfil these. This would have a knock-on effect on those whom MPs and their staff are trying to help.

IPSA, therefore, finds that the public interest in withholding this information outweighs the public interest in disclosure at this time.

Ref:
RFI-202111-07
Disclosure:
10 January 2022
Categories:
IPSA - OPERATIONS
Exemptions Applied:
Section 24(1), Section 31(1)(a), Section 38(1)(b)