FOI release

RFI 122: Cyber security breaches

Updated 27 April 2026

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/foi-responses-released-by-the-ssro-2026/rfi-122-cyber-security-breaches

Subject: Freedom of Information request

Thank you for your email dated 4 April 2026, in which you asked for the following information:

“Under the Freedom of Information Act, I would like to request the following information for each calendar year from 2020 to 2026 inclusive:

  1. The number of cyber security breaches that have being identified that were found to be a result of a malicious threat actor (i.e. not accidental data breach).

  2. The breakdown in high-level causes of these breaches as identified by cyber security incident response teams (CSIRTs), for example (but not limited to) unpatched software/hardware, lack of multi-factor authentication (MFA), leaked user credentials, lack of in-transit encryption, etc.

  3. The number of breaches that occurred that were attributed to a previously known vulnerability to the organisations hardware, software, policies, or processes, for example where system was known to be at risk due to being unpatched or out of support, or security controls were recommended but not enforced, and was defined within the resulting incident response report.

  4. The estimated combined costs incurred as a result of cyber security breaches defined in request number one in each year. No specific details are requested in relation to software/hardware utilisation, but rather high-level causes of breaches. I believe the high-level nature of this request does not allow for the use of s.31(1)(a) of the FOIA as this would not be likely to prejudice the security of your systems or data, as these are historical incidents which have since been dealt with. The public interest in understanding breach causes across public sector organisations outweighs the public interest in the exemption. I would like you to provide the information in Word, Excel, or CSV format.”

We have considered your request under the Freedom of Information Act 2000 (‘FOI Act’).

Under the FOI Act, you have the right to:

  • know whether the Single Source Regulations Office (‘SSRO’) holds the information you require
  • be provided with that information (subject to any exemptions under the FOI Act which may apply).

In response to matters 1) to 4) the SSRO considers that disclosing whether we hold the requested information or not would invite malicious actors to attempt to perpetrate cyber security breaches against the SSRO. This would make the SSRO more vulnerable to crime. Therefore, disclosing whether we hold the requested information or not would prejudice the prevention or detection of crime (section 31(1)(a) of the FOIA Act).

Confirming whether we do or do not hold information requested under matter 1), i.e. between 2020 and 2026 the number of cyber security breaches identified as resulting from the actions of a malicious threat actor, could be construed by malicious actors as an indication of the number of their cyber security breaches not identified. This would invite malicious actors to attempt to perpetrate cyber security breaches against the SSRO.

Confirming whether we do or do not hold information requested under matters 2), 3) and 4), would invite malicious actors to attempt to perpetrate a cyber security breach against the SSRO irrespective of the fact the information requested is historic. The information requested relates to cyber security breaches identified as coming from malicious actors. Confirming whether we do or do not hold the information would convey to them information that could be considered relevant to their understanding of cyber security breaches that have not been so identified. This would invite malicious actors to attempt to commit cyber security breaches against the SSRO.

We are therefore relying on section 31(3) of the FOI Act, which allows us to refuse to confirm or deny if the information is held. The exemption relied upon is a qualified exemption and is subject to the public interest test. This is a test of whether we should confirm or deny that the information is held, rather than whether the information requested should be disclosed. We have balanced the public interest in confirming or denying whether the information is held against the public interest in maintaining the exemption. Factors in favour of confirming whether the information in response to matters 1) to 4) is held or not by the SSRO are that it would support transparency of the organisation’s activities, it would provide information about how effective our security systems are and could inform people about whether our systems are vulnerable or not. Weighed against this, confirming whether we hold the information in response to matters 1) to 4) or not would increase the likelihood of attempted cyber security breaches by malicious actors, by giving them insight that could be considered relevant to their understanding of cyber security breaches that have not been identified as coming from them.

As stated, should the SSRO confirm it holds all of the information requested, this would give malicious actors insight that could be considered relevant to their understanding of cyber security breaches that have not been identified as deriving from them. If, conversely, the SSRO states that it does not hold this information, this would be construed by malicious actors as demonstrating the SSRO has poor techniques for detecting cyber security breaches identified as coming from them. In either scenario, this would encourage malicious actors to attempt to perpetrate a cyber security breach against the SSRO.

Having weighed these public interests, our conclusion is that the public interests in maintaining the exemption should preponderate.

If you are dissatisfied with the handling of your request, you have the right to ask for an internal review. Internal review requests should be submitted within two months of the date of receipt of our response to your request and should be addressed to: enquiries@ssro.gov.uk.

If you are not content with the outcome of the internal review, you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Please remember to quote the reference number above in any future communications in respect of your request.

Yours sincerely

Joanne Watts

Chief Regulatory Officer

Back to top