Information on cyber attacks of which public bodies in Scotland have been a victim: FOI release

Information requested

You asked for:
1)  The number of public bodies that - to the Scottish Government's knowledge - have been the victim of a cyber attack since 1 January 2021.

2)  The number of public bodies still recovering from the effects of successful cyber attacks which have occurred since 1 January 2021.

Response

1) In 2021, 10 public sector cyber incidents were reported to the Scottish Government, under the Scottish Public Sector Notifiable Cyber Incident Procedure and Policy. In 2022, until 31 March, 2 cyber incidents were recorded under this procedure.

The Scottish Government is not a reporting agency for cyber incidents or cyber attacks. We encourage Scottish public bodies that experience cyber incidents to notify the Scottish Government Cyber Resilience Unit under the Scottish Public Sector Notifiable Cyber Incident Procedure.

2) While our aim is to provide information whenever possible, in this instance the costs of locating, retrieving and providing the information requested would exceed the upper cost limit of £600. Locating the information to respond to your request would take the staff costs over the upper cost limit. The Scottish Public Sector Notifiable Cyber Incident Procedure and Policy is in place to support organisations with immediate cyber  incident management and response, rather than their long-term recovery.

Public sector bodies generally manage their recovery processes themselves dependant on their own circumstances, therefore inquiring about their current operational status would require a time-consuming and widely-spanned information trawl.

Under section 12 of FOISA public authorities are not required to comply with a request for information if the authority estimates that the cost of complying would exceed the upper cost limit, which is currently set at £600 by Regulations made under section 12.

You may, however, wish to consider reducing the scope of your request in order that the costs can be brought below £600.

Specifying a particular cyber attack, a public body that might have experienced a cyber attack, or specifying a sector of the wider public sector may bring the cost of providing a response below the upper cost limit.

You may also find it helpful to look at the Scottish Information Commissioner’s ‘Tips for requesting information under FOI and the EIRs’ on his website at: http://www.itspublicknowledge.info/YourRights/Tipsforrequesters.aspx.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.itspublicknowledge.info/appeal.