We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - FOI/EIR release

Cyber attacks against the Scottish Government information: FOI release

Published
26 March 2025
Directorate
Safer Communities Directorate
Topic
Public sector
FOI reference
FOI/202500450879
Date received
3 February 2025
Date responded
28 March 2025

Information request and response under the Freedom of Information (Scotland) Act 2002

Information requested

An updated breakdown of the number of cyber attacks against the Scottish Government and its agencies in each of the past five years, as well as the names of which organisations were affected by these incidents.

Response

The Scottish Government is not a formal reporting agency for cyber incidents/attacks, which means that agencies are not obliged to report any cyber incidents or attacks they experience to us. However, we encourage any Scottish public body that does experience a cyber incident to notify the Scottish Government under the voluntary Scottish Public Sector Cyber Incident Notification Procedure so that we help to ensure that all relevant and necessary support can be provided. The year-by-year notification under this procedure of public bodies affected by a cyber-attack is as follows:-

Year:

2020

2021

2022

2023

2024

Number of cyber-attacks 

11

10

8

10

20 (as of 3rd February 2025) 

While our aim is to provide information to the public whenever possible, in this instance we are unable to provide some of the information you have requested because of exemptions under sections 30(c) of FOISA. The reason why this exemption applies is explained below.

Breakdown of which organisations suffered incidents/attacks over the five years - exempt under sections 30(c) (prejudice to effective conduct of public affairs).

Organisations report voluntarily to Scottish Government, and this allows us to effectively support them in their response to incidents and so that the whole sector can learn lessons. Disclosing information of this nature would undermine public bodies’ trust in Scottish Government, reduce the likelihood of them reporting to us and substantially prejudice our ability to effectively support the sector during cyber incidents.

Furthermore, revealing which organisations have experienced cyber attacks could help threat actors to map out security capabilities, enabling them to bypass any security controls. This knowledge could empower them to mount more effective and targeted attacks, significantly undermining the effective conduct and delivery of public affairs and services.

This exemption is subject to the ‘public interest test’. We recognise that there may be some interest by the public for this information; however after taking account of all the circumstances of this case, we have found that, on balance, applying this exemption is withheld in order to protect the confidentialitybased relationships across the sector; avoid publicising details of the incidents and avoid increasing the risk of further and more damaging cyber attacks on the sector.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.gov.scot/foi-responses.

Contact

Please quote the FOI reference
Central Correspondence Unit
Email: contactus@gov.scot
Phone: 0300 244 4000

The Scottish Government
St Andrew's House
Regent Road
Edinburgh
EH1 3DG

Back to top