FOI release

Details of any cyber-security breaches experienced by the SIA

Published 1 May 2026

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/details-of-any-cyber-security-breaches-experienced-by-the-sia/details-of-any-cyber-security-breaches-experienced-by-the-sia

Request

I would like to request the following information for each calendar year from 2020 to 2026 inclusive:

  1. The number of cyber security breaches that have being identified that were found to be a result of a malicious threat actor (i.e. not accidental data breach).
  2. The breakdown in high-level causes of these breaches as identified by cyber security incident response teams (CSIRTs), for example (but not limited to) unpatched software/hardware, lack of multi-factor authentication (MFA), leaked user credentials, lack of in-transit encryption, etc.
  3. The number of breaches that occurred that were attributed to a previously known vulnerability to the organisations hardware, software, policies, or processes, for example where system was known to be at risk due to being unpatched or out of support, or security controls were recommended but not enforced, and was defined within the resulting incident response report.
  4. The estimated combined costs incurred as a result of cyber security breaches defined in request number one in each year.

Response

We can confirm that we hold this information. The information you have requested is exempt from disclosure under Section 31(1)(a) and (c). This exemption provides that information is exempt where its disclosure would, or would be likely to, prejudice the prevention or detection of crime and the administration of justice. Confirming whether or not cyber-attack attempts have occurred could expose vulnerabilities or provide insight into our security posture, which may increase the risk of further malicious activity.

Section 31 is a prejudice-based exemption. We have therefore considered whether disclosing this information is in the public interest.

We have considered the public interest test in relation to this exemption. While we recognise the importance of transparency and accountability, we believe that the public interest in safeguarding the security and integrity of our systems, and in preventing potential criminal activity, outweighs the public interest in disclosure.

[Ref: FOI 0597]

Back to top