Details of cyber attacks on the Scottish Government in 2018: FOI release

FOI reference: FOI/18/02465  
Date received: 12 September 2018
Date responded: 21 September 2018

 

Details of cyber-attacks on the Scottish Government in 2018, including details of any information that is believed to be hacked, and what steps were taken to halt attacks in the future.

 

The core Scottish Government has not identified any cyber-attacks to the IT systems it operates during 2018.

Whilst we are able to provide you with information on cyber-attacks on the Scottish Government in 2018 as per your request, information on the what steps are taken to halt attacks in the future is subject to an exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs).

Disclosing this information would substantially prejudice our ability to protect government assets and digital information.

Providing specific details about the products and equipment we use in Cyber Security and Defence and the Cyber Security Operations Centre could subsequently be used by attackers or hackers to circumvent these defences. This could potentially enable them to target other types of attack or specific components of our defences and would constitute substantial prejudice to the effective conduct of public affairs in terms of the exemption.

This exemption is subject to the ‘public interest test’. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. 

 

We recognise that there is a public interest in disclosing information as part of open, transparent and accountable government. However, there is a greater public interest in protecting government information systems from attack or compromise and ensuring that the Scottish Government is able to conduct its business effectively. There is also greater public interest in ensuring that any identified vulnerabilities could not be used to attack Scottish Government systems that hold information entrusted to us by the citizens for whom we provide online services, and for whom we also have responsibilities under the General Data Protection Regulation (GDPR) to protect personal information.

NB ‘core Scottish Government’ refers to all Scottish Government Directorates and does not cover Executive Agencies, Executive Non-Departmental Public Bodies, Non-Ministerial Departments or other associated bodies.

 

About FOI
The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses